Appendix D: oVirt and SSL

Replacing the oVirt Engine SSL/TLS Certificate

Warning: Do not change the permissions and ownerships for the /etc/pki directory or any subdirectories. The permission for the /etc/pki and the /etc/pki/ovirt-engine directory must remain as the default 755.

Use the following procedure(s) if you want to use your organization’s third-party CA certificate to identify the oVirt Engine to users connecting over HTTPS.

Note: Using a third-party CA certificate for HTTPS connections does not affect the certificate used for authentication between the Engine and hosts. They will continue to use the self-signed certificate generated by the Engine.


  • A third-party CA certificate. This is the certificate of the CA (Certificate Authority) that issued the certificate you want to use. It is provided as a PEM file. The certificate chain must be complete up to the root certificate. The chain’s order is critical and must be from the last intermediate certificate to the root certificate. This procedure assumes that the third-party CA certificate is provided in /tmp/3rd-party-ca-cert.pem.

  • The private key that you want to use for Apache httpd. It must not have a password. This procedure assumes that it is located in /tmp/apache.key.

  • The certificate issued by the CA. This procedure assumes that it is located in /tmp/apache.cer.

If you received the private key and certificate from your CA in a P12 file, use the following procedure to extract them. For other file formats, contact your CA. After extracting the private key and certificate, proceed to Replacing the Red Hat Virtualization Manager Apache SSL Certificate.

Extracting the Certificate and Private Key from a P12 Bundle

The internal CA stores the internally generated key and certificate in a P12 file, in /etc/pki/ovirt-engine/keys/apache.p12. The oVirt Project recommends storing your new file in the same location. The following procedure assumes that the new P12 file is in /tmp/apache.p12.

  1. Back up the current apache.p12 file:

     # cp -p /etc/pki/ovirt-engine/keys/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12.bck
  2. Replace the current file with the new file:

     # cp /tmp/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12
  3. Extract the private key and certificate to the required locations. If the file is password protected, you must add -passin pass:_password_, replacing password with the required password.

     # openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /tmp/apache.key
     # openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /tmp/apache.cer

Important: For new oVirt installations, you must complete all of the steps in this procedure. If you upgraded from a oVirt 3.6 environment with a commercially signed certificate already configured, only steps 1, 8, and 9 are required.

Replacing the oVirt Engine Apache SSL Certificate

  1. Add your CA certificate to the host-wide trust store.

     # cp YOUR-3RD-PARTY-CERT.pem /etc/pki/ca-trust/source/anchors
     # update-ca-trust
  2. The Engine has been configured to use /etc/pki/ovirt-engine/apache-ca.pem, which is symbolically linked to /etc/pki/ovirt-engine/ca.pem. Remove the symbolic link.

     # rm /etc/pki/ovirt-engine/apache-ca.pem
  3. Save your CA certificate as /etc/pki/ovirt-engine/apache-ca.pem.

     # cp /tmp/3rd-party-ca-cert.pem /etc/pki/ovirt-engine/apache-ca.pem
  4. Back up the existing private key and certificate:

     # cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.bck
     # cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.bck
  5. Copy the private key to the required location:

     # cp /tmp/apache.key /etc/pki/ovirt-engine/keys/apache.key.nopass
  6. Copy the certificate to the required location:

     # cp /tmp/apache.cer /etc/pki/ovirt-engine/certs/apache.cer
  7. Restart the Apache server:

     # systemctl restart httpd.service
  8. Create a new trust store configuration file:

     # vi /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf

    Add the following content and save the file:

  9. Edit the /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf file:

     # vi /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf

    Make the following changes and save the file:

  10. Edit the /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf file:

    # vi /etc/ovirt-imageio-proxy/ovirt-imageio-proxy.conf

    Make the following changes and save the file:

    # Key file for SSL connections
    ssl_key_file = /etc/pki/ovirt-engine/keys/apache.key.nopass
    # Certificate file for SSL connections
    ssl_cert_file = /etc/pki/ovirt-engine/certs/apache.cer
  11. Restart the ovirt-provider-ovn service:

    # systemctl restart ovirt-provider-ovn.service
  12. Restart the ovirt-imageio-proxy service:

    # systemctl restart ovirt-imageio-proxy
  13. Restart the ovirt-websocket-proxy service:

    # systemctl restart ovirt-websocket-proxy
  14. Restart the ovirt-engine service:

    # systemctl restart ovirt-engine.service

Your users can now connect to the Administration Portal and VM Portal without being warned about the authenticity of the certificate used to encrypt HTTPS traffic.

Setting Up SSL or TLS Connections between the Engine and an LDAP Server

To set up a secure connection between the oVirt Engine and an LDAP server, obtain the root CA certificate of the LDAP server, copy the root CA certificate to the Engine, and create a PEM-encoded CA certificate. The keystore type can be any Java-supported type. The following procedure uses the Java KeyStore (JKS) format.

Note: For more information on creating a PEM-encoded CA certificate and importing certificates, see the X.509 CERTIFICATE TRUST STORE section of the README file at /usr/share/doc/ovirt-engine-extension-aaa-ldap-version.

Creating a PEM-encoded CA certificate

  1. On the oVirt Engine, copy the root CA certificate of the LDAP server to the /tmp directory and import the root CA certificate using keytool to create a PEM-encoded CA certificate. The following command imports the root CA certificate at /tmp/myrootca.pem and creates a PEM-encoded CA certificate myrootca.jks under /etc/ovirt-engine/aaa/. Note down the certificate’s location and password. If you are using the interactive setup tool, this is all the information you need. If you are configuring the LDAP server manually, follow the rest of the procedure to update the configuration files.

     $ keytool -importcert -noprompt -trustcacerts -alias myrootca -file /tmp/myrootca.pem -keystore /etc/ovirt-engine/aaa/myrootca.jks -storepass password
  2. Update the /etc/ovirt-engine/aaa/ file with the certificate information:

    Note: ${local:_basedir} is the directory where the LDAP property configuration file resides and points to the /etc/ovirt-engine/aaa directory. If you created the PEM-encoded CA certificate in a different directory, replace ${local:_basedir} with the full path to the certificate.

    • To use startTLS (recommended):

        # Create keystore, import certificate chain and uncomment
        pool.default.ssl.startTLS = true
        pool.default.ssl.truststore.file = ${local:\_basedir}/myrootca.jks
        pool.default.ssl.truststore.password = password
    • To use SSL:

        # Create keystore, import certificate chain and uncomment
        pool.default.serverset.single.port = 636
        pool.default.ssl.enable = true
        pool.default.ssl.truststore.file = ${local:\_basedir}/myrootca.jks
        pool.default.ssl.truststore.password = password

To continue configuring an external LDAP provider, see Configuring an External LDAP Provider. To continue configuring LDAP and Kerberos for Single Sign-on, see Configuring LDAP and Kerberos for Single Sign-on.

Prev: Appendix C: oVirt User Interface Plugins
Next: Appendix E: Branding

Adapted from RHV 4.2 documentation - CC-BY-SA