I have been trying to get set of libvirtd system up and running. My PKI
infrastructure involves a root CA and several intermediate CAs. I am trying
to get the machines to trust each other across the different intermediate
CAs.
This is what I have so far:
Libvirtd is starting and listening on tls port 16514 I have configured
client/server certs/keys and it seems to be using all of these correctly.
I have also configured the cacert.pem file (which has two certs in the
chain). I have confirmed (recompiling with various debug statements) that
the gnutls libraries are successfully loading both certs from the
cacert.pem file.
When I try to connect with openssl s_client -connect <host>:16514 I get
something similar to this:
---
Certificate chain
0
s:/CN=kvm999.example.com
i:/C=US/ST=Utah/O=Qualtrics/OU=SRE/CN=intca1.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
... omitted for brevity
-----END CERTIFICATE-----
subject=/CN=kvm999.example.com
issuer=/C=US/ST=Utah/O=Qualtrics/OU=SRE/CN=intca1.example.com
---
Acceptable client certificate CA names
/C=US/ST=Utah/O=Qualtrics/OU=SRE/CN=intca1.example.com
/C=US/ST=Utah/O=Qualtrics/OU=SRE/CN=rootca.example.com
---
The "Server certificate" and "Acceptable client certificate CA names"
look
right. The problem is that the certificate chain is just the single server
cert and does not include the intermediate cert or root cert. As a result
clients from other intermediate CAs fail to verify the libvirtd process.
I have tried libvirtd 0.10.2 and 1.2.1 both on CentOS 6.
Thanks.
--
-Nathaniel Cook