1440662 – [TestOnly] 3rd party CA with / without sha256

Bug 1440662 - [TestOnly] 3rd party CA with / without sha256

Summary: [TestOnly] 3rd party CA with / without sha256

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine
Sub Component:
Version:	4.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-4.1.3
Target Release:	---
Assignee:	Yedidyah Bar David
QA Contact:	Petr Kubica
Docs Contact:
URL:
Whiteboard:
Depends On:	1420577
Blocks:
TreeView+	depends on / blocked

Reported:	2017-04-10 08:37 UTC by Sandro Bonazzola
Modified:	2019-04-28 13:51 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-07-18 13:34:16 UTC
oVirt Team:	Integration
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1420577	0	medium	CLOSED	[Docs][RFE][Upgrade] Document change to signed certificates.	2021-02-22 00:41:40 UTC

Internal Links: 1420577

Description Sandro Bonazzola 2017-04-10 08:37:44 UTC

We have a section that explains how to install 3rd party CA.
We need to confirm that this is still correct, relevant, desirable:
https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_SSL_Certificate

Now that we moved from sha1 to sha256 with the CA we generated by ovirt-engine, if user is using 3rd party CA it's up to users to use sha256 then.

We do need to make sure that the procedure we write works well also for customers that used above article and use 3rd party CAs.

Comment 1 Yedidyah Bar David 2017-04-12 06:37:45 UTC

(In reply to Sandro Bonazzola from comment #0)
> We have a section that explains how to install 3rd party CA.
> We need to confirm that this is still correct, relevant, desirable:
> https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/
> html/administration_guide/appe-
> red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_SSL_Certifica
> te
> 
> Now that we moved from sha1 to sha256 with the CA we generated by
> ovirt-engine, if user is using 3rd party CA it's up to users to use sha256
> then.
> 
> We do need to make sure that the procedure we write works well also for
> customers that used above article and use 3rd party CAs.

"The procedure we write" refers to the still-not-ready expected result of bug 1420577.

Comment 4 Petr Kubica 2017-06-23 05:01:33 UTC

Verified.

Verification steps:
- already created own certificates (Root CA, Intermediate CA, Apache cert)
- Root CA was imported to browsers
1) Install latest 4.0
2) Import own certificates Intermediate CA as apache-ca.pem and Apache cert (using flow from documentation [1])
3) Update to latest 4.1
4) Check certificate in browsers
5) Migrate all other certs to sha256 as commented in bug 1420577 without Apache cert
6) Check

- tested with sha1 and sha256 Apache certs
- in case of sha1 there is warning in browser console but user is responsible for using certificates sha256

[1] https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.1/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_SSL_Certificate

Note You need to log in before you can comment on or make changes to this bug.