Verified on ovirt-hosted-engine-setup-1.3.6.1-1.el7ev.noarch
1) Deploy hosted-engine on the first host
2) Change apache certificate on engine VM according to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.6/html/Administration_Guide/appe-Red_Hat_Enterprise_Virtualization_and_SSL.html#Replacing_the_SSL_certificate_used_by_Red_Hat_Enterprise_Virtualization_Manager_to_identify_itself_to_users_connecting_over_https(do not explain about SELINUX labels)
3) Add custom CA that signed new apache certificate to second host
* cp my-custom-ca.pem /etc/pki/ca-trust/source/anchors/
* update-ca-trust
4) Deploy the second host
...
[ INFO ] The following CA certificate is going to be used, please immediately interrupt if not correct:
[ INFO ] Issuer: C=US, O=qa.lab.tlv.redhat.com, CN=alukiano-he-1.qa.lab.tlv.redhat.com.86247, Subject: C=US, O=qa.lab.tlv.redhat.com, CN=alukiano-he-1.qa.lab.tlv.redhat.com.86247, Fingerprint (SHA-1): 85DC095268B216C14BBA5F960D8AB09F4E7BF336
The REST API cert couldn't be trusted with the internal CA cert
Would you like to continue in insecure mode (not recommended)?
If not, please provide your CA cert at /etc/pki/CA/ovirtcustomcacert.pem before continuing
(Yes, No)[No]? Yes
[ INFO ] Connecting to the Engine
[ INFO ] Waiting for the host to become operational in the engine. This may take several minutes...
[ INFO ] The VDSM Host is now operational
...
Deploy succeed without any problems