Hello all-

I am looking for a methodology to force oVirt to use certs/keys managed and 
deployed externally. These are automated by our various automation systems and 
are configured to match our security policies. Rogue and/or non-transparent 
and/or standalone CAs in our org do not comply with our security policy.

If I pre-deploy certificates and keys, does oVirt engine still need to be a CA?

Similarly, our encryption policy requires use of RSA 4096 or ED25519 for SSH. 
This, as I understand it, is also not compatible with the RSA 2048 
generated/used by the engine's internal CA. Is SSHing to this new host using 
this key necessary, or can I externally enroll a new host into a cluster or - 
if not - use different SSH key via the engine (likely derived from the 
above/below-mentioned certs, which may be RSA 4096)?

Essentially, could I:


  1.
Pre-provision certificates and keys in /etc/pki/ovirt-*/ with the appropriate 
filenames<https://www.ovirt.org/develop/release-management/features/infra/pki.html#file-locations>
  2.
Run engine-setup for the first​ time (using an answers file)?

Will engine-setup balk at the existence of those files, silently overwrite 
them, or use them?

Thanks in advance.


Brent Saner
SENIOR SYSTEMS ENGINEER
Follow us on LinkedIn!
brent.sa...@netfire.com
855-696-3834 Ext. 110
www.netfire.com
_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/JDKQBBGQR3LCXZ6SFFRSOBSWXDVAXB44/

Reply via email to