3.4. Renewing certificates before they expire

In Red Hat Virtualization earlier than version 4.4 SP1, all certificates followed a 398 day lifetime. Starting in Red Hat Virtualization version 4.4 SP1, the self-signed internal certificates between hypervisors and the Manager follow a five year lifetime. Certificates visible to web browsers still follow the standard 398 day lifetime and must be renewed once per year.

Warning

Do not let certificates expire. If they expire, the host and Manager stop responding, and recovery is an error-prone and time-consuming process.

Procedure

  1. Renew the host certificates:

    1. In the Administration Portal, click ComputeHosts.
    2. Click ManagementMaintenance and then click OK. The virtual machines should automatically migrate away from the host. If they are pinned or otherwise cannot be migrated, you must shut them down.
    3. When the host is in maintenance mode and there are no more virtual machines remaining on this host, click InstallationEnroll Certificate.
    4. When enrollment is complete, click ManagementActivate.

  2. Renew the Manager certificates:

    1. Self-hosted engine only: log in to the host and put it in global maintenance mode. 

      # hosted-engine --set-maintenance --mode=global

    2. Self-hosted engine and standalone Manager: log in to the Manager and run engine-setup. 

      # engine-setup --offline

      The engine-setup script prompts you with configuration questions. Respond to the questions as appropriate or use an answers file.

    3. Enter Yes after the following engine-setup prompt: 

      Renew certificates? (Yes, No) [Yes]:

    4. Self-hosted engine only: log in to the host and disable global maintenance mode: 

      # hosted-engine --set-maintenance --mode=none

Additional resources