[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [virt-tools-list] [libvirt-users] Client certificate paths?

On 08/20/2010 12:59 AM, Cole Robinson wrote:
On 08/12/2010 10:29 AM, Lars Kellogg-Stedman wrote:
Hello all,

I'm trying to get virsh (and virt-manager) to talk to a remote libvirt
instance.  I cannot for the life of me figure out how to tell either
tool where to find client or CA certificates.  Do they *really* need
to access the ones in /etc/pki?  In particular, the client seems to
want to read the *server's* private key, which for obvious reasons is
only readable by root.

I feel like I must be missing something obvious...if someone can point
me towards a solution I would really appreciate it.  Thanks!

Hi Lars,

There wasn't a mention a which type of certificates you're trying to
use, so I'll assume TLS, as that's what /etc/pki is for.


With virsh, it is hard coded to use a server wide path for its client
certificate.  (found this out yesterday)  It's been mentioned
there's an RFE for having that configurable, but it's not something I've
looked into.

$ ls -la /etc/pki/libvirt/clientcert.pem /etc/pki/libvirt/private/clientkey.pem
  -rw-r--r-- 1 root root 1220 Aug 19 02:34 /etc/pki/libvirt/clientcert.pem
-rw-r--r-- 1 root root 1675 Aug 19 02:32 /etc/pki/libvirt/private/clientkey.pem

It also needs the CA Certificate (not the key) here:


  $ sudo ls -la /etc/pki/CA/cacert.pem
  -rw-r--r-- 1 root root 1070 Aug 19 01:06 /etc/pki/CA/cacert.pem

Real life example of it working

  $ virsh -c qemu://host1/system
  Welcome to virsh, the virtualization interactive terminal.

  Type:  'help' for help with commands
         'quit' to quit

  virsh #

(the qemu:// bit works there without saying qemu+tls://, because TLS
is the default)


virt-manager though, uses the client certificate in a different spot.
It has them per user, and they're stored in:


It needs the CA Certificate in:


$ ls -la ~/.pki/libvirt-vnc/clientcert.pem ~/.pki/libvirt-vnc/private/clientkey.pem ~/.pki/CA/ca-cert.pem

$ ls -la ~/.pki/libvirt-vnc/clientcert.pem ~/.pki/libvirt-vnc/private/clientkey.pem ~/.pki/CA/ca-cert.pem -rw-r--r-- 1 jc jc 1070 Aug 19 20:48 /export/backend/home/jc/.pki/CA/ca-cert.pem -rw-r--r-- 1 jc jc 1220 Aug 19 20:48 /export/backend/home/jc/.pki/libvirt-vnc/clientcert.pem lrwxrwxrwx 1 jc jc 16 Aug 19 21:14 /export/backend/home/jc/.pki/libvirt-vnc/private/clientkey.pem -> ../clientkey.pem

You'll be able to see that pointing to the keys in my home dir. Something you'll notice is that in this instance, my clientkey.pem is itself NOT in the "private" sub-dir. It's in a folder below that, with a link in the private sub-dir, which is good enough.

I have it this way only because I created it in a different spot initially when trying to get it to work, and it turns out that virt-viewer (another VNC viewing thing) needs it there instead. i.e. in the directory below "private".

Anyway, the above works. :)

If you have troubles with the TLS key generation, the docs on the libvirt.org site work:


And the paths for virt-manager are given on the last part of this page:


If it's relevant, I'm running everything under Fedora 13 right now, so
that means libvirt-0.8.2-1.fc13.x86_64 and

Similar.  All of the above is on an F13 workstation as well.

All good now? :)

Regards and best wishes,

Justin Clift

Salasaga  -  Open Source eLearning IDE

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]