ovirt 替换自主签署证书
2020-04-07 18:25 不能说的秘密~ 阅读(...) 评论(...) 编辑 收藏需求我自己写了一个python后台,添加上了ovirt 引擎web上,如图 但第一次访问时需要,需要接受两次不安全连接,ovirt web使用https,我往里面加http,加不进去。
只能同样使用https。我想使用ip地址访问然后只接受一次不安全连接。(程序使用跟ovirt同样的证书)客户使用起来方便
自主签署证书
mkdir ca
创建私钥
openssl genrsa -out ca/apache-ca.pem 1024
创建证书请求
openssl req -new -out ca/ca-req.csr -key ca/apache-ca.pem
自签署证书
openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/apache-ca.pem -days 3650
将证书导出成的.p12格式
openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/apache-ca.pem -out ca/apache.p12
下面开始替换ovirt ssl
把原来的删除或者备份
cp /etc/pki/ovirt-engine/apache-ca.pem /etc/pki/ovirt-engine/apache-ca.pem.bak
rm -rf /etc/pki/ovirt-engine/apache-ca.pem
cp /etc/pki/ovirt-engine/keys/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12.bak
rm -rf /etc/pki/ovirt-engine/keys/apache.p12
cp /etc/pki/ovirt-engine/keys/apache.key.nopass /etc/pki/ovirt-engine/keys/apache.key.nopass.bak
rm -rf /etc/pki/ovirt-engine/keys/apache.key.nopass
cp /etc/pki/ovirt-engine/certs/apache.cer /etc/pki/ovirt-engine/certs/apache.cer.bak
rm -rf /etc/pki/ovirt-engine/certs/apache.cer
mv ca/apache-ca.pem /etc/pki/ovirt-engine/
cp ca/apache.p12 /etc/pki/ovirt-engine/keys/apache.p12
从p12包中提取出密钥
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nocerts -nodes > /etc/pki/ovirt-engine/keys/apache.key.nopass
openssl pkcs12 -in /etc/pki/ovirt-engine/keys/apache.p12 -nokeys > /etc/pki/ovirt-engine/certs/apache.cer
systemctl restart httpd