Daniel, Great! I want it. Thanks, Alex ----- Original Message ----- From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> To: libvir-list@xxxxxxxxxx Sent: Friday, February 17, 2012 10:22:25 PM Subject: A script for setting up x509 certs for libvirt/spice/vnc After 4 years of swearing at the pain of setting up x509 certs, I finally decided to try to write a script to automate it. I'm attaching a very raw proof of concept called "virt-pki-admin.pl". It does the following * Create CA key+cert * Create server + client keys+cert & sign with the CA * Copy server/client certs to remote hosts into correct directories which is sufficient to get up & running with libvirtd/virt-manager/virsh etc using x509 eg, // Create a self-signed CA $ virt-pki-admin.pl init "Evil CA" // Add some servers virt-pki-admin add_server "Evil Moonbase" alpha.moonbase.evil.com virt-pki-admin add_server "Evil Moonbase" beta.moonbase.evil.com virt-pki-admin add_server "Evil Moonbase" gamma.moonbase.evil.com // And some clients virt-pki-admin add_client "Evil Henchmen" up.moonbase.evil.com virt-pki-admin add_client "Evil Henchmen" down.moonbase.evil.com virt-pki-admin add_client "Evil Henchmen" strange.moonbase.evil.com // Copy the server certs/keys via the SSH root account virt-pki-admin deploy_server alpha.moonbase.evil.com virt-pki-admin deploy_server beta.moonbase.evil.com virt-pki-admin deploy_server gamma.moonbase.evil.com // Copy the client certs/keys via the SSH root account virt-pki-admin deploy_client up.moonbase.evil.com virt-pki-admin deploy_client down.moonbase.evil.com virt-pki-admin deploy_client strange.moonbase.evil.com // Copy the client certs/keys via the SSH $USER account virt-pki-admin deploy_user_client up.moonbase.evil.com virt-pki-admin deploy_user_client down.moonbase.evil.com virt-pki-admin deploy_user_client strange.moonbase.evil.com With that, if you are logged into 'root' on any of 'up', 'down', or 'strange' you can connect to any server using qemu+tls://hostname/system. Likewise for non-root accounts, which also have setup GTK-VNC and SPICE-GTK certs to allow graphical access to QEMU using x509 certs. WIth some more work I plan to submit this to libvirt, but for now here is the script in case it is useful BTW it stores all certs & keys in $HOME/.libvirt/pki/ on the machine used to run the command. You can safely experiment with any of the commands *except* the 'deploy_' ones, without messing up your current x509 config Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list