Bug 1936349

Summary: 'CA certificate' link from Welcome page cannot be used for importing certificate to clients after switching to custom HTTPS certificate signed by custom CA
Product: Red Hat Enterprise Virtualization Manager Reporter: Martin Perina <mperina>
Component: DocumentationAssignee: Eli Marcus <emarcus>
Status: CLOSED CURRENTRELEASE QA Contact: Guilherme Santos <gdeolive>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.4.0CC: apinnick, emarcus, gveitmic, lsurette, mhicks, sfroemer, srevivo
Target Milestone: ovirt-4.5.3Keywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: docscope 4.5
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-28 13:23:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Perina 2021-03-08 09:25:30 UTC 
As a part of Welcome page we have a link 'CA certificate' which can be used to download and import engine CA certificate on clients, which needs to be done to have a verified connection for RHV Manager. By default engine HTTPS certificate is signed by engine CA.

But we have a procedure to replace engine HTTPS certificate by custom HTTPS certificate signed by custom CA:


https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate

After switching to custom HTTPS certificate 'CA certificate' link cannot be used any longer to import certificate to clients, because it return engine CA and not the custom CA. So customers need to use their own CA certificate distribution to make that certificate available on clients. There is a confusion about it currently (BZ1928158), so we should add a note about it into 'Replacing the Manager CA Certificate' chapter
Comment 2 Germano Veit Michel 2023-01-12 03:19:42 UTC 
When you do that, please also explain that when integrating with other products such as Red Hat Sattelite, one needs to manually import the correct certificate into Satellite.

Satellite will by default get the CA from the URL of the PKI Servlet, ca-certificate resource, so the internal CA will be provided and it wont work and it needs to be done manually.
Comment 3 Steffen Froemer 2023-01-12 07:13:52 UTC 
(In reply to Germano Veit Michel from comment #2)
> When you do that, please also explain that when integrating with other
> products such as Red Hat Sattelite, one needs to manually import the correct
> certificate into Satellite.
> 
> Satellite will by default get the CA from the URL of the PKI Servlet,
> ca-certificate resource, so the internal CA will be provided and it wont
> work and it needs to be done manually.
Note, that Satellite has deprecated RHV support in current version [1] and the option will be removed soon. But good point to have it documented.

[1]: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.12/html/release_notes/assembly_introducing-red-hat-satellite_sat6-release-notes#ref_deprecated-functionality_assembly_introducing-red-hat-satellite
Comment 10 Eli Marcus 2023-02-28 13:23:34 UTC 
PR was merged