Re-adding the libvirt-users list - please don't take discussions off-list. On Mon, Dec 10, 2018 at 01:10:18PM +0300, Anastasiya Ruzhanskaya wrote:
I already found out how to set up all the certificates and tls works fine for me. What if I want to put a proxy between client and server in libvirt? He has his own CA, and this is only one more CA I would like libvirt to trust to. Is it somehow achievable? I see that libvirt takes certificates only from predefined paths. For me doesn't work if I just incert another CA certificate to the cacert.pem file. Do you know any approaches how it can be made in another way?
The cacert.pem file can contain multiple certificates, just concatenate all the CA pem files.
пн, 10 дек. 2018 г. в 12:38, Daniel P. Berrangé <berrange@redhat.com>:
Hello! Does libvirt uses certificate pinning in tls? I want to setup a
On Sat, Dec 08, 2018 at 11:19:40AM +0300, Anastasiya Ruzhanskaya wrote: transparent
proxy (mitmproxy) and can't do this even after I added mitmproxy ca certificate to the trusted certificates in ubuntu.
Libvirt doesn't ever use the global certificates stores, because public CAs are not relevant to libvirt deployments - indeed trusting the global cert store in the OS would lower security by opening it upto arbitrary CAs. See this doc for where libvirt finds CA certs
https://libvirt.org/remote.html#Remote_certificates
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|