[libvirt-users] TLS and intermediate CA

Daniel P. Berrange berrange at redhat.com
Tue Apr 22 10:37:38 UTC 2014 

On Mon, Apr 21, 2014 at 04:51:00PM -0600, Nathaniel Cook wrote:
> I have been trying to get set of libvirtd system up and running.  My PKI
> infrastructure involves a root CA and several intermediate CAs. I am trying
> to get the machines to trust each other across the different intermediate
> CAs.
> 
> This is what I have so far:
> 
> Libvirtd is starting and listening on tls port 16514 I have configured
> client/server certs/keys and it seems to be using all of these correctly.
> 
> I have also configured the cacert.pem file (which has two certs in the
> chain). I have confirmed (recompiling with various debug statements) that
> the gnutls libraries are successfully loading both certs from the
> cacert.pem file.
> 
> When I try to connect with openssl s_client -connect <host>:16514 I get
> something similar to this:
> ---
> Certificate chain
>  0 s:/CN=kvm999.example.com
>    i:/C=US/ST=Utah/O=Qualtrics/OU=SRE/CN=intca1.example.com
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> ... omitted for brevity
> -----END CERTIFICATE-----
> subject=/CN=kvm999.example.com
> issuer=/C=US/ST=Utah/O=Qualtrics/OU=SRE/CN=intca1.example.com
> ---
> Acceptable client certificate CA names
> /C=US/ST=Utah/O=Qualtrics/OU=SRE/CN=intca1.example.com
> /C=US/ST=Utah/O=Qualtrics/OU=SRE/CN=rootca.example.com
> ---
> 
> 
> The "Server certificate" and "Acceptable client certificate CA names" look
> right. The problem is that the certificate chain is just the single server
> cert and does not include the intermediate cert or root cert. As a result
> clients from other intermediate CAs fail to verify the libvirtd process.

If you have a chain of CAs

   caroot -> child-ca1 -> child-ca2 -> server cert

Then the cacert.pem file you create on the clients / server must
include the certs for caroot, child-ca1 and child-ca2 all in one
file. You can basically just concatenate the .pem files for all
the CAs into one file and gnutls will load all the CA cert blocks
it finds in that file


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvirt-users mailing list