Bug 1440662

Summary: [TestOnly] 3rd party CA with / without sha256
Product: Red Hat Enterprise Virtualization Manager Reporter: Sandro Bonazzola <sbonazzo>
Component: ovirt-engineAssignee: Yedidyah Bar David <didi>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Kubica <pkubica>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: amarchuk, didi, lsurette, lsvaty, rbalakri, Rhev-m-bugs, srevivo, ykaul, ylavi
Target Milestone: ovirt-4.1.3Keywords: TestOnly, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-18 13:34:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1420577    
Bug Blocks:    

Description Sandro Bonazzola 2017-04-10 08:37:44 UTC 
We have a section that explains how to install 3rd party CA.
We need to confirm that this is still correct, relevant, desirable:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_SSL_Certificate

Now that we moved from sha1 to sha256 with the CA we generated by ovirt-engine, if user is using 3rd party CA it's up to users to use sha256 then.

We do need to make sure that the procedure we write works well also for customers that used above article and use 3rd party CAs.
Comment 1 Yedidyah Bar David 2017-04-12 06:37:45 UTC 
(In reply to Sandro Bonazzola from comment #0)
> We have a section that explains how to install 3rd party CA.
> We need to confirm that this is still correct, relevant, desirable:
> https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/
> html/administration_guide/appe-
> red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_SSL_Certifica
> te
> 
> Now that we moved from sha1 to sha256 with the CA we generated by
> ovirt-engine, if user is using 3rd party CA it's up to users to use sha256
> then.
> 
> We do need to make sure that the procedure we write works well also for
> customers that used above article and use 3rd party CAs.

"The procedure we write" refers to the still-not-ready expected result of bug 1420577.
Comment 4 Petr Kubica 2017-06-23 05:01:33 UTC 
Verified.

Verification steps:
- already created own certificates (Root CA, Intermediate CA, Apache cert)
- Root CA was imported to browsers
1) Install latest 4.0
2) Import own certificates Intermediate CA as apache-ca.pem and Apache cert (using flow from documentation [1])
3) Update to latest 4.1
4) Check certificate in browsers
5) Migrate all other certs to sha256 as commented in bug 1420577 without Apache cert
6) Check

- tested with sha1 and sha256 Apache certs
- in case of sha1 there is warning in browser console but user is responsible for using certificates sha256

[1] https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_SSL_Certificate