On Mon, Aug 25, 2014 at 04:09:56PM +, Dietmar Maurer wrote:
To make sure I understand, you start with a Root CA which I assume you
generated yourself and is self-signed?
We use official certs from StartCom Certification Authority using
StartCom Class 2 Primary Intermediate Server
Hey,
On Fri, Aug 22, 2014 at 08:22:22AM +, Dietmar Maurer wrote:
I use the following certificate files:
# openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem
/etc/pve/local/pve-ssl.pem: OK
I pass the content of /etc/pve/pve-root-ca.pem to virt-viewer:
Hi Dietmar,
do the certificate setup works for other TLS apps, such as web
server/browser or just simple openssl s_(server|client)?
Also, do you account for intermediate CA in your setup? You have
basically two options how to handle it:
1) standard: server-cert.pem should contain the whole
To make sure I understand, you start with a Root CA which I assume you
generated yourself and is self-signed?
We use official certs from StartCom Certification Authority using
StartCom Class 2 Primary Intermediate Server CA intermediate CA.
But we just observed that the same setup works
Also, do you account for intermediate CA in your setup? You have basically
two options how to handle it:
1) standard: server-cert.pem should contain the whole chain of certificates
under root CA, e.g:
* Int. CA 1
* Int. CA 2
* server cert
you just cat them to the file in that
I use the following certificate files:
# openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem
/etc/pve/local/pve-ssl.pem: OK
I pass the content of /etc/pve/pve-root-ca.pem to virt-viewer:
[virt-viewer]
ca=-BEGIN CERTIFICATE-\nXX/Q=\n-END
Hi Dietmar
- Original Message -
I use the following certificate files:
# openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem
/etc/pve/local/pve-ssl.pem: OK
I pass the content of /etc/pve/pve-root-ca.pem to virt-viewer:
[virt-viewer]
ca=-BEGIN
I think you must be able to openssl verify your file without specifying the
CAfile, if you want Spice ssl checks to pass.
Sorry, but how should that work? For example:
# cat server.pem intermediate_certificate.pem ca.pem mix.pem
So the file contains all needed certificates, but:
# openssl