[Libvir] [PATCH] Remote 3/8: Client-side

Richard W.M. Jones rjones at redhat.com
Mon May 14 08:27:42 UTC 2007

Mark McLoughlin wrote:
>   * Also, Postfix allows you to trust all clients with certs from 
>     trusted CAs:
>       http://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts
>     It seems like an odd configuration option to me. You'd probably 
>     only use this with a single trusted CA which you have direct 
>     control over.

This is actually a common and useful configuration.

You set up your own CA and point the server's CACERT to your own CA's 
certificate (and no other CA).  Then only the clients for which you 
issue certificates can connect, and this is controlled by distribution 
of the private keys, not by explicit access control lists.  If a private 
key file goes AWOL then you can revoke it.

Note that libvirtd _doesn't_ quite support this sort of access because 
it doesn't support wildcards in the commonNames in the client 
certificates, but that would be a useful and simple addition.


Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom.  Registered in
England and Wales under Company Registration No. 03798903
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20070514/b61ccb24/attachment-0001.bin>

More information about the libvir-list mailing list