3.4. Renewing certificates before they expire
In Red Hat Virtualization earlier than version 4.4 SP1, all certificates followed a 398 day lifetime. Starting in Red Hat Virtualization version 4.4 SP1, the self-signed internal certificates between hypervisors and the Manager follow a five year lifetime. Certificates visible to web browsers still follow the standard 398 day lifetime and must be renewed once per year.
Do not let certificates expire. If they expire, the host and Manager stop responding, and recovery is an error-prone and time-consuming process.
Renew the host certificates:
- In the Administration Portal, click Compute → Hosts.
- Click Management → Maintenance and then click OK. The virtual machines should automatically migrate away from the host. If they are pinned or otherwise cannot be migrated, you must shut them down.
- When the host is in maintenance mode and there are no more virtual machines remaining on this host, click Installation → Enroll Certificate.
- When enrollment is complete, click Management → Activate.
Renew the Manager certificates:
Self-hosted engine only: log in to the host and put it in global maintenance mode.
# hosted-engine --set-maintenance --mode=global
Self-hosted engine and standalone Manager: log in to the Manager and run
# engine-setup --offline
engine-setupscript prompts you with configuration questions. Respond to the questions as appropriate or use an answers file.
Yesafter the following
Renew certificates? (Yes, No) [Yes]:
Self-hosted engine only: log in to the host and disable global maintenance mode:
# hosted-engine --set-maintenance --mode=none