Bug 2079799

Summary: issue the internal Certificate Authority for 20 years
Product: [oVirt] ovirt-engine Reporter: Michal Skrivanek <michal.skrivanek>
Component: GeneralAssignee: Michal Skrivanek <michal.skrivanek>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Kubica <pkubica>
Severity: high Docs Contact:
Priority: unspecified    
Version: ---CC: bugs, lsvaty, mperina, pkubica
Target Milestone: ovirt-4.5.0-1Keywords: ZStream
Target Release: 4.5.0.7Flags: sbonazzo: ovirt-4.5+
lsvaty: exception+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.5.0.7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-23 06:21:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Skrivanek 2022-04-28 09:40:36 UTC 
Currently our internal CA is always issued for 10 years during the initial engine-setup. This carries over upgrades and on old enough installations we can get close to expiration. We don't have an easy way how to replace internal CA without complete downtime, and running over the expiration date leads to a complete cease of communication between all oVirt components.

20 years sounds slightly better
Comment 1 Michal Skrivanek 2022-04-28 09:45:41 UTC 
best to apply to QEMU CA as well. Not that VMs stick around running for such a long time, but just so we don't differ and don't have to renew at different times.
Comment 2 Petr Kubica 2022-05-13 08:40:52 UTC 
Verified in ovirt-engine-4.5.0.7-0.9.el8ev.noarch

# openssl x509 -text -in ca.pem
....
        Validity
            Not Before: May 11 13:54:00 2022 GMT
            Not After : May  7 13:54:00 2042 GMT
....