Hello! I'm trying to create a certificate that contains the necessary options to let libvirtd service work to as intended with remote control over TLS.
I have created my own CA using certtool and the problem that I'm having is with the server certificate. The template that I'm using when I create the CSR is as follows: organization = "Local libvirtd" unit = "libvirtd server" cn = "oink" country = "SE" state = "Sweden" expiration_days = 1095 tls_www_server signing_key encryption_key I've also tried to make certtool honour the extensions which it does to a certain degree. The "encryption_key" is not honored even if I try to enforce it using the "honour_crq_extensions" option as well as using the above template when I sign the CSR with the CA. The resulting PEM-encoded certificate generates the following error during startup of libvirtd: dec 13 20:58:20 oink libvirtd[15630]: Certificate /etc/pki/libvirt/servercert.pem usage does not permit key encipherment When I verify the certificates then I get no indications that something is missing. When I inspect the certificates then the encryption_key extension is missing and the only options that show up in the certificate are the tls_www_server and signing_key options. I'm trying to use encryption_key because libvirtd expects it and the manual for libvirtd also indicates that it's needed ( http://libvirt.org/remote.html ). I am able to get around this issue by telling libivirtd to skip sanity check of its own certificates, but the missing key encipherment usage option in the certificate is missing. Is this behaviour expected? The current version of certtool is 3.4.7, running on a up-to-date install of Arch Linux. Thanks in advance, Tobias Dahlberg
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
