Bug 2079835

Summary: Separate validity length of Apache and internal certificates
Product: [oVirt] ovirt-engine Reporter: Michal Skrivanek <michal.skrivanek>
Component: GeneralAssignee: Milan Zamazal <mzamazal>
Status: CLOSED CURRENTRELEASE QA Contact: Petr Kubica <pkubica>
Severity: high Docs Contact:
Priority: unspecified    
Version: ---CC: bugs, lsvaty, mperina, pkubica
Target Milestone: ovirt-4.5.0-1Flags: pm-rhel: ovirt-4.5?
lsvaty: exception+
Target Release: 4.5.0.7   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-4.5.0.7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-30 06:42:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Skrivanek 2022-04-28 10:49:21 UTC 
Currently we issue all the certificates with the same validity period - 398 days since 4.4.3 (bug 1824103).
While all browsers now complain and don't allow longer ones, this doesn't apply to non-browser TLS communication.

Let's separate out the certificates that are used with Apache for web access (webadmin, VM portal, grafana, imageio-proxy for UI disk upload, websocket proxy for noVNC) from others that we use (vdsm<->engine, libvirt, qemu, OVN)

The internal ones are more difficult to renew - they're mostly on hosts, while Apache is just on the engine host. So let's issue them for longer period, 10 years (depending on bug 2079799, this would be half the lifetime of CA)
Comment 1 Michal Skrivanek 2022-05-02 13:23:42 UTC 
(In reply to Michal Skrivanek from comment #0)
 So let's issue them for longer period, 10 years (depending on bug 2079799, this would be half the lifetime
> of CA)

or 5 years, the same as it was prior to 4.4.3
Comment 2 Milan Zamazal 2022-05-02 17:33:48 UTC 
It seems the Engine and host certificates are already separated so all we need to do here is to increase the lifetime of the host certificates.
Comment 3 Petr Kubica 2022-05-23 23:49:52 UTC 
verified in ovirt-engine-4.5.0.7-0.9.el8ev.noarch

internal certificates has 5 years validity and external ones - such apache or websocket proxy have 1 year