Product SiteDocumentation Site

2.4. Generating TLS certificates

Libvirt supports TLS certificates for verifying the identity of the server and clients. There are two distinct checks involved:
  1. The client checks that it is connecting to the correct server by matching the certificate the server sends with the server's hostname. This check can be disabled by adding ?no_verify=1. Refer to Table 3.3, “Extra parameters for remote URIs” for details.
  2. The server checks to ensure that only allowed clients are connected. This is performed using either:
    1. The client's IP address; or
    2. The client's IP address and the client's certificate.
    Server checking may be enabled or disabled using the libvirtd.conf file.
For full certificate checking you will need to have certificates issued by a recognized Certificate Authority (CA) for your server(s) and all clients. To avoid the expense of obtaining certificates from a commercial CA, there is the option to set up your own CA and tell your server(s) and clients to trust certificates issues by your own CA. To do this, follow the instructions contained in the next section.
Be aware that the default configuration for libvirtd.conf allows any client to connect, provided that they have a valid certificate issued by the CA for their own IP address. This setting may need to be made more or less permissive, dependent upon your requirements.

2.4.1. Public Key Infrastructure setup

Table 2.3. Public Key setup

Location
Machine
Description
Required fields
/etc/pki/CA/cacert.pem
Installed on all clients and servers
CA's certificate
n/a
/etc/pki/libvirt/private/serverkey.pem
Installed on the server
Server's private key
n/a
/etc/pki/libvirt/ servercert.pem
Installed on the server
Server's certificate signed by the CA
CommonName (CN) must be the hostname of the server as it is seen by clients.
/etc/pki/libvirt/private/clientkey.pem
Installed on the client
Client's private key.
n/a
/etc/pki/CA/cacert.pem
Installed on the client
Client's certificate signed by the CA
Distinguished Name (DN) can be checked against an access control list (tls_allowed_dn_list).