I've got a setup where a given cert (for a machine) is issued randomly by one of three CA's, all of which are signed by a root CA. When using this with libvirt, it will refuse to start if the cert is signed by a CA other than the top one in the /etc/pki/CA/cacert.pem file, and if the client cert is issued by a different CA than the server cert (quite the possibility), then obviously that connection is rejected. It looks like in src/rpc/virnettlscontext.c we're using gnutls_x509_crt_import() instead of gnutls_x509_crt_list_import() which would account for this behavior. -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list