Hello all- I am looking for a methodology to force oVirt to use certs/keys managed and deployed externally. These are automated by our various automation systems and are configured to match our security policies. Rogue and/or non-transparent and/or standalone CAs in our org do not comply with our security policy.
If I pre-deploy certificates and keys, does oVirt engine still need to be a CA? Similarly, our encryption policy requires use of RSA 4096 or ED25519 for SSH. This, as I understand it, is also not compatible with the RSA 2048 generated/used by the engine's internal CA. Is SSHing to this new host using this key necessary, or can I externally enroll a new host into a cluster or - if not - use different SSH key via the engine (likely derived from the above/below-mentioned certs, which may be RSA 4096)? Essentially, could I: 1. Pre-provision certificates and keys in /etc/pki/ovirt-*/ with the appropriate filenames<https://www.ovirt.org/develop/release-management/features/infra/pki.html#file-locations> 2. Run engine-setup for the first​ time (using an answers file)? Will engine-setup balk at the existence of those files, silently overwrite them, or use them? Thanks in advance. Brent Saner SENIOR SYSTEMS ENGINEER Follow us on LinkedIn! brent.sa...@netfire.com 855-696-3834 Ext. 110 www.netfire.com
_______________________________________________ Users mailing list -- users@ovirt.org To unsubscribe send an email to users-le...@ovirt.org Privacy Statement: https://www.ovirt.org/privacy-policy.html oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/ List Archives: https://lists.ovirt.org/archives/list/users@ovirt.org/message/JDKQBBGQR3LCXZ6SFFRSOBSWXDVAXB44/