On Mon, Jan 15, 2007 at 06:23:35PM +0000, Richard W.M. Jones wrote: > [Apologies also that this is not threaded with the original post] > > > $HOME/.libvirt/tls/ > > | > > +- ca > > | | > > | +- cert.pem > > | +- ca-crl.pem > > Note that there are standard locations for CA certs. On my Debian box > the standard locations appear to be /etc/ca-certificates.conf and > /usr/share/ca-certificates. Not sure yet about Fedora/RHEL. It looks like /etc/pki or /etc/pki/tls is the equivalent 'standard' directory for Fedora & deritives. > I suppose you hope that people will be using formal CA's rather than > their own, or at least have a CA certificate issued by a formal CA from > which they can issue their own client & server certs. At the corporate end I'd expect them to have formal CA & certificate issuing procedures. Most community folks will likely end up just creating a private self-signed CA cert - if we document it, its a fairly trivial command or two to run using openssl, or certtool. If people were really bothered then we could provide a convenience shell script to get started. From my experiance thus far, most of the scary stuff with TLS is that the documentation relating to data you put into x509 certificates is complete rubbish. No one ever really explains what a 'Common Name', 'Organizational Unit' and all the other fields are about. Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|