Red Hat Training

A Red Hat training course is available for Red Hat Virtualization

4.3. Replacing SHA-1 Certificates with SHA-256 Certificates

Red Hat Virtualization 4.1 uses SHA-256 signatures, which provide a more secure way to sign SSL certificates than SHA-1. Newly installed 4.1 systems do not require any special steps to enable Red Hat Virtualization's public key infrastructure (PKI) to use SHA-256 signatures. However, for upgraded systems one of the following is recommended:
  • Option 1: Prevent warning messages from appearing in your browser when connecting to the Administration Portal. These warnings may either appear as pop-up windows or in the browser's Web Console window. This option is not required if you already replaced the Red Hat Virtualization Manager's Apache SSL certificate after the upgrade. However, if the certificate was signed with SHA-1, you should replace it with an SHA-256 certificate. For more details see Replacing the Red Hat Virtualization Manager SSL Certificate in the Administration Guide.
  • Option 2: Replace the SHA-1 certificates throughout the system with SHA-256 certificates.

Procedure 4.3. Preventing Warning Messages from Appearing in the Browser

  1. Log in to the Manager machine as the root user.
  2. Check whether /etc/pki/ovirt-engine/openssl.conf includes the line default_md = sha256:
    # cat /etc/pki/ovirt-engine/openssl.conf
    If it still includes default_md = sha1, back up the existing configuration and change the default to sha256:
    # cp -p /etc/pki/ovirt-engine/openssl.conf /etc/pki/ovirt-engine/openssl.conf."$(date +"%Y%m%d%H%M%S")"
    # sed -i 's/^default_md = sha1/default_md = sha256/' /etc/pki/ovirt-engine/openssl.conf
    
  3. Define the certificate that should be re-signed:
    # names="apache"
  4. For self-hosted engine environments, log in to one of the self-hosted engine nodes and enable global maintenance:
    # hosted-engine --set-maintenance --mode=global
    
  5. On the Manager, re-sign the Apache certificate:
    for name in $names; do
        subject="$(
            openssl \
                x509 \
                -in /etc/pki/ovirt-engine/certs/"${name}".cer \
                -noout \
                -subject \
            | sed \
                's;subject= \(.*\);\1;' \
        )"
       /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh \
            --name="${name}" \
            --password=mypass \
            --subject="${subject}" \
            --keep-key 
    done
    
  6. Restart the httpd service:
    # systemctl restart httpd
    
  7. For self-hosted engine environments, log in to one of the self-hosted engine nodes and disable global maintenance:
    # hosted-engine --set-maintenance --mode=none
    
  8. Connect to the Administration Portal to confirm that the warning no longer appears.
  9. If you previously imported a CA or https certificate into the browser, find the certificate(s), remove them from the browser, and reimport the new CA certificate. Install the certificate authority according to the instructions provided by your browser. To get the certificate authority's certificate, navigate to http://your-manager-fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA, replacing your-manager-fqdn with the fully qualified domain name (FQDN).

Procedure 4.4. Replacing All Signed Certificates with SHA-256

  1. Log in to the Manager machine as the root user.
  2. Check whether /etc/pki/ovirt-engine/openssl.conf includes the line default_md = sha256:
    # cat /etc/pki/ovirt-engine/openssl.conf
    If it still includes default_md = sha1, back up the existing configuration and change the default to sha256:
    # cp -p /etc/pki/ovirt-engine/openssl.conf /etc/pki/ovirt-engine/openssl.conf."$(date +"%Y%m%d%H%M%S")"
    # sed -i 's/^default_md = sha1/default_md = sha256/' /etc/pki/ovirt-engine/openssl.conf
    
  3. Re-sign the CA certificate by backing it up and creating a new certificate in ca.pem.new:
    # cp -p /etc/pki/ovirt-engine/private/ca.pem /etc/pki/ovirt-engine/private/ca.pem."$(date +"%Y%m%d%H%M%S")"
    # openssl x509 -signkey /etc/pki/ovirt-engine/private/ca.pem -in /etc/pki/ovirt-engine/ca.pem -out /etc/pki/ovirt-engine/ca.pem.new -days 3650 -sha256
  4. Replace the existing certificate with the new certificate:
    # mv /etc/pki/ovirt-engine/ca.pem.new /etc/pki/ovirt-engine/ca.pem
  5. Define the certificates that should be re-signed:
    # names="engine apache websocket-proxy jboss imageio-proxy"
    
    If you replaced the Red Hat Virtualization Manager SSL Certificate after the upgrade, run the following instead:
    # names="engine websocket-proxy jboss imageio-proxy"
    
    For more details see Replacing the Red Hat Virtualization Manager SSL Certificate in the Administration Guide.
  6. For self-hosted engine environments, log in to one of the self-hosted engine nodes and enable global maintenance:
    # hosted-engine --set-maintenance --mode=global
    
  7. On the Manager, re-sign the certificates:
    for name in $names; do
       subject="$(
            openssl \
                x509 \
                -in /etc/pki/ovirt-engine/certs/"${name}".cer \
                -noout \
                -subject \
            | sed \
                's;subject= \(.*\);\1;' \
            )"
         /usr/share/ovirt-engine/bin/pki-enroll-pkcs12.sh \
                --name="${name}" \
                --password=mypass \
                --subject="${subject}" \
                --keep-key 
    done
    
  8. Restart the following services:
    # systemctl restart httpd
    # systemctl restart ovirt-engine
    # systemctl restart ovirt-websocket-proxy
    # systemctl restart ovirt-imageio-proxy
    
  9. For self-hosted engine environments, log in to one of the self-hosted engine nodes and disable global maintenance:
    # hosted-engine --set-maintenance --mode=none
    
  10. Connect to the Administration Portal to confirm that the warning no longer appears.
  11. If you previously imported a CA or https certificate into the browser, find the certificate(s), remove them from the browser, and reimport the new CA certificate. Install the certificate authority according to the instructions provided by your browser. To get the certificate authority's certificate, navigate to http://your-manager-fqdn/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA, replacing your-manager-fqdn with the fully qualified domain name (FQDN).
  12. Enroll the certificates on the hosts. Repeat the following procedure for each host.
    1. In the Administration Portal, click the Hosts tab.
    2. Select the host, and click ManagementMaintenance.
    3. Once the host is in maintenance mode, click InstallationEnroll Certificate.
    4. Click ManagementActivate.