[libvirt-users] TLS and intermediate CA

Nathaniel Cook nathanielc at qualtrics.com
Mon Apr 21 22:51:00 UTC 2014

I have been trying to get set of libvirtd system up and running.  My PKI
infrastructure involves a root CA and several intermediate CAs. I am trying
to get the machines to trust each other across the different intermediate

This is what I have so far:

Libvirtd is starting and listening on tls port 16514 I have configured
client/server certs/keys and it seems to be using all of these correctly.

I have also configured the cacert.pem file (which has two certs in the
chain). I have confirmed (recompiling with various debug statements) that
the gnutls libraries are successfully loading both certs from the
cacert.pem file.

When I try to connect with openssl s_client -connect <host>:16514 I get
something similar to this:
Certificate chain
 0 s:/CN=kvm999.example.com
Server certificate
... omitted for brevity
Acceptable client certificate CA names

The "Server certificate" and "Acceptable client certificate CA names" look
right. The problem is that the certificate chain is just the single server
cert and does not include the intermediate cert or root cert. As a result
clients from other intermediate CAs fail to verify the libvirtd process.

I have tried libvirtd 0.10.2 and 1.2.1 both on CentOS 6.


-Nathaniel Cook
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20140421/d0bbb18d/attachment.htm>

More information about the libvirt-users mailing list