Bug 1416232 - [Docs] SSL certificate procedure feedback
Summary: [Docs] SSL certificate procedure feedback
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: Documentation
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ovirt-4.1.3
: ---
Assignee: Emma Heftman
QA Contact: Tahlia Richardson
: 1122895 1156381 1330754 1417055 1443225 (view as bug list)
Depends On:
Blocks: 1156381 1362573
TreeView+ depends on / blocked
Reported: 2017-01-25 00:44 UTC by Tahlia Richardson
Modified: 2020-04-15 15:09 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-07-26 08:49:27 UTC
oVirt Team: Docs
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1483371 0 unspecified CLOSED [Docs] SSL certificate procedure - step missing 2021-02-22 00:41:40 UTC

Internal Links: 1483371

Description Tahlia Richardson 2017-01-25 00:44:00 UTC
This is a catch-all bug to collect feedback from various sources on "Replacing the Red Hat Virtualization Manager SSL Certificate"[1], which seems to be receiving a lot of attention lately. 

Please add any further feedback to this bug. 

[1] https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/paged/administration-guide/appendix-d-red-hat-virtualization-and-ssl

Comment 1 Tahlia Richardson 2017-01-25 00:46:43 UTC
Public docs comment[1] feedback:

"Can we add more to this explaining how to generate a compatible P12 from openssl or even a CSR with response. I think some details on key length, algorithm would be beneficial. This appears to be a difficult subject for many end users. Also an export or import indicating the option for -nokeys may be needed.

Why does ovirt seem to be different than instructions here? What about the nopass key? http://www.ovirt.org/documentation/admin-guide/appe-oVirt_and_SSL/"

[1] https://access.redhat.com/documentation/en/red-hat-virtualization/4.0/paged/administration-guide/appendix-d-red-hat-virtualization-and-ssl#comment-1140791

Comment 5 Tahlia Richardson 2017-01-31 01:40:30 UTC
*** Bug 1417055 has been marked as a duplicate of this bug. ***

Comment 6 Lucy Bopf 2017-02-07 07:55:12 UTC
*** Bug 1122895 has been marked as a duplicate of this bug. ***

Comment 7 Lucy Bopf 2017-02-07 07:58:24 UTC
*** Bug 1156381 has been marked as a duplicate of this bug. ***

Comment 8 Yaniv Lavi 2017-02-07 08:44:22 UTC
*** Bug 1330754 has been marked as a duplicate of this bug. ***

Comment 9 Eric Silberberg 2017-03-29 20:13:06 UTC
Step 4 is a possible source of confusion.
"Back up your P12 bundle, and then move it to /etc/pki/ovirt-engine/keys/apache.p12."

That's one of the only steps in the document without the followup syntax. Also 'your p12 bundle' is somewhat vague. I'm assuming it is a new p12 file created for the apache server certificate and not the for the root CA certificate. 
Assuming that it requires openssl pkcs12 -export -inkey mynew.key -in mynew.crt  -out apache.p12

Comment 10 Eric Silberberg 2017-03-29 20:21:08 UTC
Also 'Back up your bundle' could imply using existing key and cert combination before applying the new one. I'm still assuming from the reference to apache.p12 in step 5,6 that what step 4 means is 'create a new p12 bundle from your cert and key''

Comment 11 Lucy Bopf 2017-04-24 08:23:22 UTC
From bug 1443225:

The RHV 4.x Administration Guide does not include step to update /etc/pki/ovirt-engine/ca.pem when using self signed certificate under "Appendix D. Red Hat Virtualization and SSL". 

Below are steps to include :

# cd /etc/pki/ovirt-engine
# openssl x509 -in /tmp/<selfed_signed_certifcate> -text -noout > ca.pem
# cat apache-ca.pem >> ca.pem

systemctl restart httpd.service
systemctl restart ovirt-engine.service

Would be good to change the title from 'SSL' to 'SSL/TLS'.

Comment 12 Lucy Bopf 2017-04-24 08:24:14 UTC
*** Bug 1443225 has been marked as a duplicate of this bug. ***

Comment 13 Lucy Bopf 2017-07-13 05:40:52 UTC
Assigning to Emma for review.

Comment 14 Yedidyah Bar David 2017-07-13 09:27:23 UTC
Emma asked me in private to review :-) Setting needinfo on myself for now.

Comment 29 Emma Heftman 2017-07-26 08:49:27 UTC
The updated documentation is available on the Customer Portal:


Note You need to log in before you can comment on or make changes to this bug.