Currently we issue all the certificates with the same validity period - 398 days since 4.4.3 (bug 1824103). While all browsers now complain and don't allow longer ones, this doesn't apply to non-browser TLS communication. Let's separate out the certificates that are used with Apache for web access (webadmin, VM portal, grafana, imageio-proxy for UI disk upload, websocket proxy for noVNC) from others that we use (vdsm<->engine, libvirt, qemu, OVN) The internal ones are more difficult to renew - they're mostly on hosts, while Apache is just on the engine host. So let's issue them for longer period, 10 years (depending on bug 2079799, this would be half the lifetime of CA)
(In reply to Michal Skrivanek from comment #0) So let's issue them for longer period, 10 years (depending on bug 2079799, this would be half the lifetime > of CA) or 5 years, the same as it was prior to 4.4.3
It seems the Engine and host certificates are already separated so all we need to do here is to increase the lifetime of the host certificates.
verified in ovirt-engine-4.5.0.7-0.9.el8ev.noarch internal certificates has 5 years validity and external ones - such apache or websocket proxy have 1 year