[libvirt-users] TLS and intermediate CA

Nathaniel Cook nathanielc at qualtrics.com
Tue Apr 22 19:11:14 UTC 2014 

OK, so I figured out my own problem. Basically I needed to add the ca chain
to each of the cert files. The cacert.pem file had the entire chain but
since the clientcert.pem and the servercert.pem files only had a single
cert during the handshake the chains were not presented and so verification
failed. Once I appended the chain to both the server and client certs the
handshake passed. Thanks for the help. I hope this discussion helps others
who have similar problems.

In summary the contents of each of my files is as follows:

servercert.pem --
cert unique to server
child-ca1 cert
caroot cert


clientcert.pem --
cert unique to client
child-ca1 cert
caroot cert


cacert.pem --
child-ca1 cert
caroot cert


On Tue, Apr 22, 2014 at 8:35 AM, Daniel P. Berrange <berrange at redhat.com>wrote:

> On Tue, Apr 22, 2014 at 08:24:43AM -0600, Nathaniel Cook wrote:
> > Thanks for the response.
> >
> > My current chain is as follows:
> >
> > caroot -> child-ca1 -> server cert
> >
> > My cacert.pem file has both the caroot and the child-ca1 certs. I have
> > recompiled libvirt on my machine with some extra debug statements and
> > verified that both the caroot cert and the child-ca1 certs are being
> > loaded. But when I try to connect the caroot and child-ca1 certs only
> > appear under the "Acceptable client certificate CA names" not the
> > certificate chain. The error I get on the client when connecting is that
> > the server identity could not be verified since the server isn't
> presenting
> > the entire CA chain just its own cert.
>
> Are you willing / able to share the output of
>
>  certtool -i --infile <filename>.pem
>
> for the cacert.pem and servercert.pem on the server, and the likewise for
> the cacert.pem and clientcert.pem (if used) on the client the fails to
> connect?
>
> Regards,
> Daniel
> --
> |: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/:|
> |: http://libvirt.org              -o-             http://virt-manager.org:|
> |: http://autobuild.org       -o-         http://search.cpan.org/~danberr/:|
> |: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc:|
>



-- 
-Nathaniel Cook
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20140422/e9f23e3c/attachment.htm>

More information about the libvirt-users mailing list