On Sat, Dec 08, 2018 at 03:02:22PM +0300, Мозолина, Надежда Викторовна wrote:
Hello! I am trying to make libvirt trust one more CA. I suppose that
when
libvirt establish connection, it doesn't take into account any system
trusted CAs. And in /etc/pki/CA according to the tutorial I have only one
CA installed. How can I add one more trusted CA for libvirt?
The cacert.pem file that libvirt loads is not restricted to a single CA.
That file can contain many CA certificates. Just concatenate all their
PEM format docs together and all will be loaded.
NB, we intentionally do not use any of the system trusted CAs by default.
For non-public facing services, using the default worldwide list of
commcercial CAs offers little to no benefit. In fact it would degrade
security, because as we've seen many times it only takes one rogue public
CA to issues bad certs for a domain. For non-public services like libvirt's
API it is thus preferrable to use a private CA and avoid public CAs's from
the system trusted CA list entirely.
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|