The layout in $HOME/.pki is different from that in /etc/pki but we never tell anyone about this trap. Add docs showing the required $HOME/.pki layout. --- docs/remote.html.in | 41 ++++++++++++++++++++++++++++++++++------- 1 file changed, 34 insertions(+), 7 deletions(-) diff --git a/docs/remote.html.in b/docs/remote.html.in index 9b132f1..4c3012f 100644 --- a/docs/remote.html.in +++ b/docs/remote.html.in @@ -419,13 +419,21 @@ next section. <td> <code>/etc/pki/CA/cacert.pem</code> </td> - <td> Installed on all clients and servers </td> + <td> Installed on the client and server </td> <td> CA's certificate (<a href="#Remote_TLS_CA">more info</a>)</td> <td> n/a </td> </tr> <tr> <td> - <code>/etc/pki/libvirt/ private/serverkey.pem</code> + <code>$HOME/.pki/cacert.pem</code> + </td> + <td> Installed on the client </td> + <td> CA's certificate (<a href="#Remote_TLS_CA">more info</a>)</td> + <td> n/a </td> + </tr> + <tr> + <td> + <code>/etc/pki/libvirt/private/serverkey.pem</code> </td> <td> Installed on the server </td> <td> Server's private key (<a href="#Remote_TLS_server_certificates">more info</a>)</td> @@ -433,7 +441,7 @@ next section. </tr> <tr> <td> - <code>/etc/pki/libvirt/ servercert.pem</code> + <code>/etc/pki/libvirt/servercert.pem</code> </td> <td> Installed on the server </td> <td> Server's certificate signed by the CA. @@ -443,7 +451,26 @@ next section. </tr> <tr> <td> - <code>/etc/pki/libvirt/ private/clientkey.pem</code> + <code>/etc/pki/libvirt/private/clientkey.pem</code> + </td> + <td> Installed on the client </td> + <td> Client's private key. (<a href="#Remote_TLS_client_certificates">more info</a>) </td> + <td> n/a </td> + </tr> + <tr> + <td> + <code>/etc/pki/libvirt/clientcert.pem</code> + </td> + <td> Installed on the client </td> + <td> Client's certificate signed by the CA + (<a href="#Remote_TLS_client_certificates">more info</a>) </td> + <td> Distinguished Name (DN) can be checked against an access + control list (<code>tls_allowed_dn_list</code>). + </td> + </tr> + <tr> + <td> + <code>$HOME/.pki/libvirt/clientkey.pem</code> </td> <td> Installed on the client </td> <td> Client's private key. (<a href="#Remote_TLS_client_certificates">more info</a>) </td> @@ -451,7 +478,7 @@ next section. </tr> <tr> <td> - <code>/etc/pki/libvirt/ clientcert.pem</code> + <code>$HOME/.pki/libvirt/clientcert.pem</code> </td> <td> Installed on the client </td> <td> Client's certificate signed by the CA @@ -469,7 +496,7 @@ next section. </p> <ul> <li> For a non-root user, libvirt tries to find the certificates - in $HOME/.pki/libvirt. If the required CA certificate cannot + in $HOME/.pki/libvirt first. If the required CA certificate cannot be found, then the global default location (/etc/pki/CA/cacert.pem) will be used. Likewise, if either the client certificate @@ -477,7 +504,7 @@ next section. locations (/etc/pki/libvirt/clientcert.pem, /etc/pki/libvirt/private/clientkey.pem) will be used. </li> - <li> For the root user, the global default locations will be used.</li> + <li> For the root user, the global default locations will always be used.</li> </ul> <h4> <a name="Remote_TLS_background">Background to TLS certificates</a> -- 2.7.4