[RHV 4.4] How to recreate all certificates in the RHV PKI if the private key is too weak

Resolution

IMPORTANT NOTE: This procedure replaces the main CA certificate, making all certificates in the environment untrusted. You won't be able to manage the hosts and VMs until all the certificates in the environment have been re-signed.

Initial backup

1. Manager:

# engine-backup --mode=backup --scope=all --file="/var/lib/ovirt-engine/backups/engine-backup-$(date +%Y%m%d%H%M%S).tar.bz2" --log=/var/log/ovirt-engine-backups.log
# tar cJpf /root/pki.tar.xz /etc/pki

2. Hosts:

# tar cJpf /root/pki.tar.xz /etc/pki

CA and engine certificates

1. Edit all the clusters to disable the power management: Fencing policy -> Uncheck "Enable fencing".
2. Set the global HA maintenance mode.
3. Verify that default_md = sha256 is configured in /etc/pki/ovirt-engine/openssl.conf.
4. Update to the latest engine setup packages:

# dnf update ovirt\*setup\* rh\*vm-setup-plugins

5. Create the new CA

# SUBJECT="$(openssl x509 -in /etc/pki/ovirt-engine/ca.pem -subject -noout -nameopt compat | sed 's;subject=\(.*\);\1;')"
# /usr/share/ovirt-engine/bin/pki-create-ca.sh --subject="${SUBJECT}" --keystore-password=mypass --ca-file=ca

6. Run engine-setup

# engine-setup --offline

Hosts re-enrollment

Every host has to re-enroll their certificates following solution 6215911.

Final steps

After checking that everything is working correctly again, re-enable the fencing in the clusters and remove the global HA maintenance mode.