[libvirt-users] certificate pinning
Anastasiya Ruzhanskaya
anastasiya.ruzhanskaya at frtk.ru
Mon Dec 10 10:22:32 UTC 2018
And how libvirt checks that it trusts the CA? Just simply inspects the
cacert.pem file? Or it has some information inside about by which CA were
signed client and server certificates and then compares against stored
values? I mean can I just concatenate after signing or I need to combine
two CAs before generating libvirt's client and server certificates?
пн, 10 дек. 2018 г. в 13:11, Daniel P. Berrangé <berrange at redhat.com>:
> Re-adding the libvirt-users list - please don't take discussions off-list.
>
> On Mon, Dec 10, 2018 at 01:10:18PM +0300, Anastasiya Ruzhanskaya wrote:
> > I already found out how to set up all the certificates and tls works fine
> > for me.
> > What if I want to put a proxy between client and server in libvirt? He
> has
> > his own CA, and this is only one more CA I would like libvirt to trust
> to.
> > Is it somehow achievable? I see that libvirt takes certificates only from
> > predefined paths. For me doesn't work if I just incert another CA
> > certificate to the cacert.pem file. Do you know any approaches how it can
> > be made in another way?
>
> The cacert.pem file can contain multiple certificates, just concatenate
> all the CA pem files.
>
> >
> > пн, 10 дек. 2018 г. в 12:38, Daniel P. Berrangé <berrange at redhat.com>:
> >
> > > On Sat, Dec 08, 2018 at 11:19:40AM +0300, Anastasiya Ruzhanskaya wrote:
> > > > Hello!
> > > > Does libvirt uses certificate pinning in tls? I want to setup a
> > > transparent
> > > > proxy (mitmproxy) and can't do this even after I added mitmproxy ca
> > > > certificate to the trusted certificates in ubuntu.
> > >
> > > Libvirt doesn't ever use the global certificates stores, because public
> > > CAs are not relevant to libvirt deployments - indeed trusting the
> global
> > > cert store in the OS would lower security by opening it upto arbitrary
> > > CAs. See this doc for where libvirt finds CA certs
> > >
> > > https://libvirt.org/remote.html#Remote_certificates
> > >
> > >
> > > Regards,
> > > Daniel
> > > --
> > > |: https://berrange.com -o-
> > > https://www.flickr.com/photos/dberrange :|
> > > |: https://libvirt.org -o-
> > > https://fstop138.berrange.com :|
> > > |: https://entangle-photo.org -o-
> > > https://www.instagram.com/dberrange :|
> > >
>
> Regards,
> Daniel
> --
> |: https://berrange.com -o-
> https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o-
> https://www.instagram.com/dberrange :|
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20181210/acfcd821/attachment.htm>
More information about the libvirt-users
mailing list