Hi all, Failed when client connects to the hypervisor running on Server using TLS and the details can be seen as follows: I Test Procedures: On server (10.66.92.154) 1. Set up a Certificate Authority (CA) 1.1 # certtool --generate-privkey > cakey.pem 1.2 self-sign cakey.pem by creating a file with the signature details called ca.info containing: cn=10.66.92.154 ca cert_signing_key 1.3 # certtool --generate-self-signed --load-privkey cakey.pem --template ca.info --outfile cacert.pem 2. Create server certificates 2.1 certtool --generate-privkey > serverkey.pem 2.2 sign that key with the CA's private key by first creating a template file called server.info organization=Red Hat cn=10.66.92.154 tls_www_server encryption_key signing_key 2.3 # certtool --generate-certificate --load-privkey serverkey.pem --load-ca-certificate cacert.pem \ --load-ca-privkey cakey.pem --template server.info --outfile servercert.pem 3. Copy CA key and server key to correct directory 3.1 # cp cakey.pem cacert.pem /etc/pki/CA 3.2 # mkdir -p /etc/pki/libvirt/private 3.3 # cp serverkey.pem /etc/pki/libvirt/private 3.4 # cp servercert.pem /etc/pki/libvirt 4. Copy CA key to client(10.66.93.205) into correct directory 4.1 # scp cakey.pem cacert.pem root@xxxxxxxxxxxx:/etc/pki/CA 5. Turn on libvird monitor listening in /etc/sysconfig/libvirtd -- uncomment LIBVIRTD_ARGS="--listen" 6. Edit /etc/libvirt/libvirtd.conf -- enbale listen_tls = 1 7. # service libvirtd restart 8. # service iptables stop On client (10.66.93.205) 9. Create client certificates 9.1 # certtool --generate-privkey > clientkey.pem 9.2 Act as CA and sign the certificate. Create client.info containing: 9.1 # certtool --generate-privkey > clientkey.pem 9.2 Act as CA and sign the certificate. Create client.info containing: country=GB state=London locality=London organization=Red Hat cn=10.66.93.205 tls_www_client encryption_key signing_key 9.3 # certtool --generate-certificate --load-privkey clientkey.pem --load-ca-certificate /etc/pki/CA/cacert.pem \ --load-ca-privkey /etc/pki/CA/cakey.pem --template client.info --outfile clientcert.pem 10. Copy client key to correct directory 10.1 # mkdir -p /etc/pki/libvirt/private 10.2 # cp clientkey.pem /etc/pki/libvirt/private 10.3 # cp clientcert.pem /etc/pki/libvirt/ 11. Conect to server hypervisor # virsh -c qemu+tls://10.66.92.154/system II Test Result: [root@dhcp-93-205 images]# virsh -c qemu+tls://10.66.92.154/system error: server verification (of our certificate or IP address) failed error: failed to connect to the hypervisor Note: if I Step 9 as above on server and then the client can connect to the hypervisor running on Server using TLS successfully. Regards! Johnson -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list