[DEPRECATED][RHEV2.2]RHEV certificates

Resolution

NOTE: the below solution is on an old version that is at its EOL (End of Life) - RHEV 2.2.
For more current solution on the subject refer to this.

There are 3 different types of certificates that are used by RHEV: RHEVM CA self signed certificate; RHEVM personal certificate and Code-Signing certificate.

RHEVM CA and RHEVM personal certificates are required for establishing secured communication between different components of RHEV:

• between RHEV-M and User/Admin portal via https.

• between RHEV-M internal parts - frontend and backend - via wcf.

• between RHEV-M and the hosts, via ssh.

Code signing certificate is required for WPF code to run on the client. Admin Portal is a wpf application. This is a .Net application and it requires full trust settings, which is achieved by code signing.

It is signed by third party certification authority Verisign, which certificate should be also present on the client system and usually it is installed with OS installation.

Certificates on Windows OS are organized on different Certificate Stores and can be accessed via Certification Manager Console.

RHEV-M installs all its certificates on Local Computer account.

To access this console and operate the certificates:

1. Open mmc:
   • Start -> Run -> mmc
2. Add Certificate snap-in to mmc:
   • Add/Remove Snap-in-> add -> Certificates: add Computer Account > Local Computer -> Ok

On Linux host you can examine the certificates as plain text files or using `openssl x509` utility.

Below is the detailed overview of all the certificates created and used by RHEV:

RHEVM CA

This is RHEVM public key and certificate. It is self-signed, created during RHEV-M installation and then used to sign other certificates on the system for providing secure communication.

Located at Trusted Root Certification Authority Store.

FQDN Personal Certificate

Created during RHEV-M installation as a personal certificate of this RHEV-M machine. (And recreated each time if reinstalled! Be carefull)

It is signed by RHEV-M CA, created during the same installation one step before.

Located at Personal Store.

Used for secured communication between inner RHEVM components and for accessing Admin/User Portal via secured http.

Red Hat, Inc

Located at Trusted Publishers Store.

Signed by VeriSign Class 3 code Signing CA.

Used for signing .Net code to provide full trust requirement for wpf application.

Also used to sign RHEV-M license.

VeriSign Class 3 code Signing

Located at Intermediate Certification Authority Store

Used for signing Red Hat, Inc certificate to provide full trust for wpf application.

It is provided by RHEVM installer, but is also available over the Internet by its definition.

Hosts certificates

Each host creates its own certificate and send a sign request to RHEV-M as part of the host attachment procedure.

RHEV-M signs host's certificate with RHEVM CA and sends it back to the host. After this, the host and RHEV-M are able to communicate securely.

Certificates locations on the host:

/var/vdsm/ts/certs   # for public keys
     cacert.pem
     vdsmcert.pem
/var/vdsm/ts/keys   # for private keys
     vmdskey.pem

Comments

• (!) The Red Hat Inc certificate used by 2.1 version has expired on November 2010. Customers running 2.1 version should upgrade to 2.2 in order to be able to access Admin Portal.
• (!) If you reinstall RHEV-M, it will create a new Personal Certificate for that machine. So that all the hosts connected to this server will have to be re-connected (removed and added again), to get the new certificate and enable the secure communication.
• Attached to this article RHEVM CA and RedHat, Inc certificates. They are valid for RHEV version 2.2.4 and up.
  When to use them: if you are running 2.2.4 and up and for some reason you got your certificates corrupted.
  How to use them: import them into relevant store.