Skip to content

Instantly share code, notes, and snippets.

@qrkourier

qrkourier/ovirt-private-ca.md

Last active October 11, 2021 07:57
Show Gist options
  • Star 7 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea to your computer and use it in GitHub Desktop.
Save qrkourier/9c9ac3e8b190dcb91d3767179d5a39ea to your computer and use it in GitHub Desktop.
Download ZIP
Install a Server Certificate For oVirt Manager UI
Raw
ovirt-private-ca.md

Install server certificates issued by a private CA in oVirt4 Manager and Host

  • generate a signing request on the system where oVirt Manager is running (the engine server)
openssl req -new -sha256 -key /etc/pki/ovirt-engine/keys/apache.key.nopass -out /tmp/engine.csr
  • Submit the CSR to the issuer and wait. Or, if you are the issuer and you happen to be using FreeIPA/IdM, you may issue the certificate with ipa-admintools. For example,
ipa host-add engine.example.com
ipa cert-request --add --principal=HTTP/engine.example.com /tmp/engine.csr
ipa cert-show 536739860 --out=/tmp/engine.crt
  • Copy the newly issued server certificate to the engine server in
**/etc/pki/ovirt-engine/certs/apache.cer**

  • You must also install the issuer's signing certificate in three locations on the engine server:

    /etc/pki/ovirt-engine/ca.pem

    /etc/pki/ovirt-engine/apache-ca.pem

    /etc/pki/ca-trust/source/anchors/apache-ca.pem

  • The following commands will install the issuer's certificate in the system-wide Java trust store and list the contents of that store so that you may verify the fingerprint

update-ca-trust extract
keytool -list -alias certificateauthority -keystore /etc/pki/java/cacerts
  • Create or modify /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf to have two variables which will configure ovirt-engine.service to trust the system-wide trust store instead of oVirt's built-in SSO trust store
ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts"
ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD=""
  • Restart engine and apache services on the engine server
systemctl restart ovirt-engine.service httpd.service
  • Wait about a minute before logging in to the Manager GUI
  • Copy the issuer's signing certificate to each of the following locations on the oVirt host
**/etc/pki/CA/cacert.pem**

**/etc/pki/vdsm/certs/cacert.pem**

**/etc/pki/vdsm/libvirt-spice/ca-cert.pem**
  • generate a CSR on the oVirt host
openssl req -new -sha256 -key /etc/pki/vdsm/keys/vdsmkey.pem -out /tmp/hypervisor.csr

  • Copy the CSR and provide it to the issuer. If you're using FreeIPA you may issue the certificate with ipa-admintools as demonstrated above and copy it back to the oVirt host.

  • Install the server certificate in three locations

**/etc/pki/vdsm/certs/vdsmcert.pem**

**/etc/pki/vdsm/libvirt-spice/server-cert.pem**

**/etc/pki/libvirt/clientcert.pem**
  • Restart vdsmd on the oVirt host
systemctl restart vdsmd.service
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment