- generate a signing request on the system where oVirt Manager is running (the engine server)
openssl req -new -sha256 -key /etc/pki/ovirt-engine/keys/apache.key.nopass -out /tmp/engine.csr
- Submit the CSR to the issuer and wait. Or, if you are the issuer and you happen to be using FreeIPA/IdM, you may issue the certificate with ipa-admintools. For example,
ipa host-add engine.example.com
ipa cert-request --add --principal=HTTP/engine.example.com /tmp/engine.csr
ipa cert-show 536739860 --out=/tmp/engine.crt
- Copy the newly issued server certificate to the engine server in
**/etc/pki/ovirt-engine/certs/apache.cer**
-
You must also install the issuer's signing certificate in three locations on the engine server:
/etc/pki/ovirt-engine/ca.pem
/etc/pki/ovirt-engine/apache-ca.pem
/etc/pki/ca-trust/source/anchors/apache-ca.pem
-
The following commands will install the issuer's certificate in the system-wide Java trust store and list the contents of that store so that you may verify the fingerprint
update-ca-trust extract
keytool -list -alias certificateauthority -keystore /etc/pki/java/cacerts
- Create or modify /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf to have two variables which will configure ovirt-engine.service to trust the system-wide trust store instead of oVirt's built-in SSO trust store
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
- Restart engine and apache services on the engine server
systemctl restart ovirt-engine.service httpd.service
- Wait about a minute before logging in to the Manager GUI
- Copy the issuer's signing certificate to each of the following locations on the oVirt host
**/etc/pki/CA/cacert.pem**
**/etc/pki/vdsm/certs/cacert.pem**
**/etc/pki/vdsm/libvirt-spice/ca-cert.pem**
- generate a CSR on the oVirt host
openssl req -new -sha256 -key /etc/pki/vdsm/keys/vdsmkey.pem -out /tmp/hypervisor.csr
-
Copy the CSR and provide it to the issuer. If you're using FreeIPA you may issue the certificate with ipa-admintools as demonstrated above and copy it back to the oVirt host.
-
Install the server certificate in three locations
**/etc/pki/vdsm/certs/vdsmcert.pem**
**/etc/pki/vdsm/libvirt-spice/server-cert.pem**
**/etc/pki/libvirt/clientcert.pem**
- Restart vdsmd on the oVirt host
systemctl restart vdsmd.service