
[...]
static int +qemuDomainAddDiskSrcTLSObject(virQEMUDriverPtr driver, + virDomainObjPtr vm, + virStorageSourcePtr src, + const char *srcalias) +{ + int ret = -1; + qemuDomainObjPrivatePtr priv = vm->privateData; + virJSONValuePtr tlsProps = NULL; + + /* NB: Initial implementation doesn't require/use a secret to decrypt + * a server certificate, so there's no need to manage a tlsSecAlias
client certificate
No it's the server certificate (server-key.pem) that needs the secret in order to be decrypted.
I think both can be encrypted. What I wanted to point out is that it does not make sense to refer to the server certificate in terms of disks since they are clients only.
True - I'll just the whole paragraph. It's one of those traces I leave in code comments for later on... John