We have a section that explains how to install 3rd party CA. We need to confirm that this is still correct, relevant, desirable: https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_SSL_Certificate Now that we moved from sha1 to sha256 with the CA we generated by ovirt-engine, if user is using 3rd party CA it's up to users to use sha256 then. We do need to make sure that the procedure we write works well also for customers that used above article and use 3rd party CAs.
(In reply to Sandro Bonazzola from comment #0) > We have a section that explains how to install 3rd party CA. > We need to confirm that this is still correct, relevant, desirable: > https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/ > html/administration_guide/appe- > red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_SSL_Certifica > te > > Now that we moved from sha1 to sha256 with the CA we generated by > ovirt-engine, if user is using 3rd party CA it's up to users to use sha256 > then. > > We do need to make sure that the procedure we write works well also for > customers that used above article and use 3rd party CAs. "The procedure we write" refers to the still-not-ready expected result of bug 1420577.
Verified. Verification steps: - already created own certificates (Root CA, Intermediate CA, Apache cert) - Root CA was imported to browsers 1) Install latest 4.0 2) Import own certificates Intermediate CA as apache-ca.pem and Apache cert (using flow from documentation [1]) 3) Update to latest 4.1 4) Check certificate in browsers 5) Migrate all other certs to sha256 as commented in bug 1420577 without Apache cert 6) Check - tested with sha1 and sha256 Apache certs - in case of sha1 there is warning in browser console but user is responsible for using certificates sha256 [1] https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_SSL_Certificate