I have been trying to get set of libvirtd system up and running. My PKI infrastructure involves a root CA and several intermediate CAs. I am trying to get the machines to trust each other across the different intermediate CAs.
This is what I have so far:
Libvirtd is starting and listening on tls port 16514 I have configured client/server certs/keys and it seems to be using all of these correctly.
I have also configured the cacert.pem file (which has two certs in the chain). I have confirmed (recompiling with various debug statements) that the gnutls libraries are successfully loading both certs from the cacert.pem file.
When I try to connect with openssl s_client -connect <host>:16514 I get something similar to this:
---
Certificate chain
---
Server certificate
-----BEGIN CERTIFICATE-----
... omitted for brevity
-----END CERTIFICATE-----
---
Acceptable client certificate CA names
---
The "Server certificate" and "Acceptable client certificate CA names" look right. The problem is that the certificate chain is just the single server cert and does not include the intermediate cert or root cert. As a result clients from other intermediate CAs fail to verify the libvirtd process.
I have tried libvirtd 0.10.2 and 1.2.1 both on CentOS 6.
Thanks.
--
-Nathaniel Cook