[libvirt] A script for setting up x509 certs for libvirt/spice/vnc

Daniel P. Berrange berrange at redhat.com
Fri Feb 17 14:22:25 UTC 2012

After 4 years of swearing at the pain of setting up x509 certs, I finally
decided to try to write a script to automate it.

I'm attaching a very raw proof of concept called "virt-pki-admin.pl".

It does the following

 * Create CA key+cert
 * Create server + client keys+cert & sign with the CA
 * Copy server/client certs to remote hosts into correct directories

which is sufficient to get up & running with libvirtd/virt-manager/virsh
etc using x509


  // Create a self-signed CA
  $ virt-pki-admin.pl init "Evil CA"

  // Add some servers
  virt-pki-admin add_server "Evil Moonbase" alpha.moonbase.evil.com
  virt-pki-admin add_server "Evil Moonbase" beta.moonbase.evil.com
  virt-pki-admin add_server "Evil Moonbase" gamma.moonbase.evil.com

  // And some clients
  virt-pki-admin add_client "Evil Henchmen" up.moonbase.evil.com
  virt-pki-admin add_client "Evil Henchmen" down.moonbase.evil.com
  virt-pki-admin add_client "Evil Henchmen" strange.moonbase.evil.com

  // Copy the server certs/keys via the SSH root account
  virt-pki-admin deploy_server alpha.moonbase.evil.com
  virt-pki-admin deploy_server beta.moonbase.evil.com
  virt-pki-admin deploy_server gamma.moonbase.evil.com

  // Copy the client certs/keys via the SSH root account
  virt-pki-admin deploy_client up.moonbase.evil.com
  virt-pki-admin deploy_client down.moonbase.evil.com
  virt-pki-admin deploy_client strange.moonbase.evil.com

  // Copy the client certs/keys via the SSH $USER account
  virt-pki-admin deploy_user_client up.moonbase.evil.com
  virt-pki-admin deploy_user_client down.moonbase.evil.com
  virt-pki-admin deploy_user_client strange.moonbase.evil.com

With that, if you are logged into 'root' on any of 'up', 'down', or 'strange'
you can connect to any server using qemu+tls://hostname/system. Likewise
for non-root accounts, which also have setup GTK-VNC and SPICE-GTK certs
to allow graphical access to QEMU using x509 certs.

WIth some more work I plan to submit this to libvirt, but for now here
is the script in case it is useful

BTW it stores all certs & keys in $HOME/.libvirt/pki/ on the machine
used to run the command. You can safely experiment with any of the
commands *except* the 'deploy_' ones, without messing up your current
x509 config

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: virt-pki-admin.pl
Type: application/x-perl
Size: 10071 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20120217/a553fa49/attachment-0001.pl>

More information about the libvir-list mailing list