1936349 – 'CA certificate' link from Welcome page cannot be used for importing certificate to clients after switching to custom HTTPS certificate signed by custom CA

Bug 1936349 - 'CA certificate' link from Welcome page cannot be used for importing certificate to clients after switching to custom HTTPS certificate signed by custom CA

Summary: 'CA certificate' link from Welcome page cannot be used for importing certific...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	4.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	ovirt-4.5.3
Target Release:	---
Assignee:	Eli Marcus
QA Contact:	Guilherme Santos
Docs Contact:
URL:
Whiteboard:	docscope 4.5
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-03-08 09:25 UTC by Martin Perina
Modified:	2023-02-28 13:23 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-02-28 13:23:34 UTC
oVirt Team:	Infra
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Martin Perina 2021-03-08 09:25:30 UTC

As a part of Welcome page we have a link 'CA certificate' which can be used to download and import engine CA certificate on clients, which needs to be done to have a verified connection for RHV Manager. By default engine HTTPS certificate is signed by engine CA.

But we have a procedure to replace engine HTTPS certificate by custom HTTPS certificate signed by custom CA:


https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/appe-red_hat_enterprise_virtualization_and_ssl#Replacing_the_Manager_CA_Certificate

After switching to custom HTTPS certificate 'CA certificate' link cannot be used any longer to import certificate to clients, because it return engine CA and not the custom CA. So customers need to use their own CA certificate distribution to make that certificate available on clients. There is a confusion about it currently (BZ1928158), so we should add a note about it into 'Replacing the Manager CA Certificate' chapter

Comment 2 Germano Veit Michel 2023-01-12 03:19:42 UTC

When you do that, please also explain that when integrating with other products such as Red Hat Sattelite, one needs to manually import the correct certificate into Satellite.

Satellite will by default get the CA from the URL of the PKI Servlet, ca-certificate resource, so the internal CA will be provided and it wont work and it needs to be done manually.

Comment 3 Steffen Froemer 2023-01-12 07:13:52 UTC

(In reply to Germano Veit Michel from comment #2)
> When you do that, please also explain that when integrating with other
> products such as Red Hat Sattelite, one needs to manually import the correct
> certificate into Satellite.
> 
> Satellite will by default get the CA from the URL of the PKI Servlet,
> ca-certificate resource, so the internal CA will be provided and it wont
> work and it needs to be done manually.
Note, that Satellite has deprecated RHV support in current version [1] and the option will be removed soon. But good point to have it documented.

[1]: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.12/html/release_notes/assembly_introducing-red-hat-satellite_sat6-release-notes#ref_deprecated-functionality_assembly_introducing-red-hat-satellite

Comment 10 Eli Marcus 2023-02-28 13:23:34 UTC

PR was merged

Note You need to log in before you can comment on or make changes to this bug.