[libvirt-users] Add trusted CA to libvirt
Daniel P. Berrangé
berrange at redhat.com
Mon Dec 10 13:36:33 UTC 2018
On Sat, Dec 08, 2018 at 03:02:22PM +0300, Мозолина, Надежда Викторовна wrote:
> Hello! I am trying to make libvirt trust one more CA. I suppose that when
> libvirt establish connection, it doesn't take into account any system
> trusted CAs. And in /etc/pki/CA according to the tutorial I have only one
> CA installed. How can I add one more trusted CA for libvirt?
The cacert.pem file that libvirt loads is not restricted to a single CA.
That file can contain many CA certificates. Just concatenate all their
PEM format docs together and all will be loaded.
NB, we intentionally do not use any of the system trusted CAs by default.
For non-public facing services, using the default worldwide list of
commcercial CAs offers little to no benefit. In fact it would degrade
security, because as we've seen many times it only takes one rogue public
CA to issues bad certs for a domain. For non-public services like libvirt's
API it is thus preferrable to use a private CA and avoid public CAs's from
the system trusted CA list entirely.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvirt-users
mailing list