Bug 1122895
Summary: | [Docs][Bugfix][Admin]Improve descriptions of certs in the Replacing the RHEV-M SSL Certificate chapter | ||
---|---|---|---|
Product: | Red Hat Enterprise Virtualization Manager | Reporter: | Lukas Zapletal <lzap> |
Component: | Documentation | Assignee: | rhev-docs <rhev-docs> |
Status: | CLOSED DUPLICATE | QA Contact: | Andrew Burden <aburden> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3.4.0 | CC: | juwu, lbopf, lsurette, mgrigull, rbalakri, rpai, srevivo, ylavi |
Target Milestone: | ovirt-4.1.1 | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: |
Build Name: 22464, Administration Guide-3.3-1
Build Date: 29-04-2014 13:00:50
Topic ID: 10782-591943 [Specified]
|
|
Last Closed: | 2017-02-07 07:55:12 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | Docs | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1156381 |
Description
Lukas Zapletal
2014-07-24 10:39:38 UTC
*** Bug 1146775 has been marked as a duplicate of this bug. *** Hi, It might be worthwhile providing a hierarchical map of all of the keys, signing requests and certificates in all of their formats, and the services that use them (for restarting) and any file permissions needed. It would also be good to know what opsnssl.conf settings are needed for each certificate and what constraints are required by the CA for RHEVm This would then be detailed with steps for every one of those components. A few of these components have been documented in kbase articles [1]. In GSS case 01217776 we leaned how to restore apache.cer and apache.key.nopass from a .p12 store [2] This would allow both customers and GSS to determine both how to replace CA certs and all follow on certificates and to repair broken installations. [1] https://access.redhat.com/solutions/405333 https://access.redhat.com/solutions/972613 [2] #openssl pkcs12 -passin "pass: PASSWORD " -nokeys -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/certs/apache.cer # openssl pkcs12 -passin "pass: PASSWORD " -nocerts -nodes -in /etc/pki/ovirt-engine/keys/apache.p12 > /etc/pki/ovirt-engine/keys/apache.key.nopass # chmod 0600 /etc/pki/ovirt-engine/keys/apache.key.nopass Other parts to include are what certificate chains are needed (by clients and other components) where especially where the custom CA cert might a third tier certificate. If replacing certificates on a established system is at home in the administration guide as opposed to being part of a deployment guide then it is imperative that all of the components for SSL are exposed Changing status back to 'New' until re-assignment. oVirt 4.0 Alpha has been released, moving to oVirt 4.0 Beta target. Closing this as a duplicate of bug 1416232, which tracks multiple feedback back items for this section. *** This bug has been marked as a duplicate of bug 1416232 *** |