全局CA：

  CA证书：

      engine主机上：/etc/pki/ovirt-engine/ca.pem 

      node主机上： /etc/pki/vdsm/certs/cacert.pem

                        /etc/pki/vdsm/libvirt-spice/ca-cert.pem

                        /etc/pki/CA/cacert.pem

  CA私钥：

      engine主机上： /etc/pki/ovirt-engine/private/ca.pem

engine：

  engine证书：

    engine主机上： /etc/pki/ovirt-engine/certs/engine.cer  --x509格式

                        /etc/pki/ovirt-engine/keys/engine.p12  --pkcs格式，密码mypass

  engine私钥：

    engine主机上： /etc/pki/ovirt-engine/keys/engine_id_rsa

node：

  node证书：

      node主机上： /etc/pki/vdsm/certs/vdsmcert.pem

                        /etc/pki/vdsm/libvirt-spice/server-cert.pem

                        /etc/pki/libvirt/clientcert.pem

  node私钥：

      node主机上：/etc/pki/vdsm/certs/vdsmkey.pem

                      /etc/pki/vdsm/libvirt-spice/server-key.pem

                      /etc/pki/libvirt/private/clientkey.pem

ovirt engine与node交互时使用双向认证，因此engine证书过期和node节点上的vdsm证书过期都会导致无法连接

openssl手动测试https连接：

openssl  s_client -connect {{ node_ip }}:54321 -cert /etc/pki/ovirt-engine/certs/engine.cer -key /etc/pki/ovirt-engine/keys/engine_id_rsa -CAfile /etc/pki/ovirt-engine/ca.pem

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

证书生成命令：

engine证书：

mkdir  /etc/pki/ovrit-engine/test

cd /etc/pki/ovrit-engine/test

#使用原来的私钥生成证书请求文件：  O=Handpay CN=pay-ovirt-engine(200.95上原证书配置，应根据环境不同做对应修改)

openssl req -new -key ../keys/engine_id_rsa  -out newengine.csr

#用ca签发csr

cd /etc/pki/ovirt-engine

openssl ca -in test/newengine.csr  -out newengine.cer -cert ca.pem -keyfile private/ca.pem -config openssl.conf -days 9999

#newengine.cer就是新的证书

#用newengine.cer 替换 /etc/pki/ovirt-engine/certs/engine.cer

cp newengine.cer  /etc/pki/ovirt-engine/certs/engine.cer

#生成p12证书，密码mypass

cd /etc/pki/ovirt-engine/keys/

openssl pkcs12 -export -out engine.p12 -in ../certs/engine.cer -inkey engine_id_rsa

#重启engine

service ovirt-engine restart

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

node证书：

#以192.168.23.51为例

#将 node上的私钥复制到engine主机上：

mkdir /tmp/test

cd /tmp/test

scp 10.88.202.51:/etc/pki/vdsm/certs/vdsmkey.pem  .

#用原来的私钥生成csr，O=Handpay CN=192.168.23.51

openssl req -new -key /tmp/test/vdsmkey.pem  -out 192.168.23.51.csr

#用ca签发csr

openssl ca -in 192.168.23.51.csr  -out 192.168.23.51.cer -cert /etc/pki/ovirt-engine/ca.pem  -keyfile  /etc/pki/ovirt-engine/private/ca.pem -config openssl.conf -days 9999

#生成的 192.168.23.51.cer就是node的证书

#把这个证书覆盖node上的三个位置：

scp 192.168.23.51.cer  192.168.23.51:/etc/pki/vdsm/certs/vdsmcert.pem

scp 192.168.23.51.cer  192.168.23.51:/etc/pki/vdsm/libvirt-spice/server-cert.pem

scp 192.168.23.51.cer  192.168.23.51:/etc/pki/libvirt/clientcert.pem

#重启51上的vdsmd

ssh 192.168.23.51

systemctl restart vdsmd.service