Re: [libvirt-users] certificate pinning

I already found out how to set up all the certificates and tls works fine for me. What if I want to put a proxy between client and server in libvirt? He has his own CA, and this is only one more CA I would like libvirt to trust to. Is it somehow achievable? I see that libvirt takes certificates only from predefined paths. For me doesn't work if I just incert another CA certificate to the cacert.pem file. Do you know any approaches how it can be made in another way?

пн, 10 дек. 2018 г. в 12:38, Daniel P. Berrangé <berrange(a)redhat.com&gt;: > On Sat, Dec 08, 2018 at 11:19:40AM +0300, Anastasiya Ruzhanskaya wrote: > > Hello! > > Does libvirt uses certificate pinning in tls? I want to setup a > transparent > > proxy (mitmproxy) and can't do this even after I added mitmproxy ca > > certificate to the trusted certificates in ubuntu. > > Libvirt doesn't ever use the global certificates stores, because public > CAs are not relevant to libvirt deployments - indeed trusting the global > cert store in the OS would lower security by opening it upto arbitrary > CAs. See this doc for where libvirt finds CA certs > > https://libvirt.org/remote.html#Remote_certificates > > > Regards, > Daniel > -- > |: https://berrange.com -o- > https://www.flickr.com/photos/dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- > https://www.instagram.com/dberrange :| >