On Sat, Dec 08, 2018 at 03:02:22PM +0300, Мозолина, Надежда Викторовна wrote: > Hello! I am trying to make libvirt trust one more CA. I suppose that when > libvirt establish connection, it doesn't take into account any system > trusted CAs. And in /etc/pki/CA according to the tutorial I have only one > CA installed. How can I add one more trusted CA for libvirt? The cacert.pem file that libvirt loads is not restricted to a single CA. That file can contain many CA certificates. Just concatenate all their PEM format docs together and all will be loaded. NB, we intentionally do not use any of the system trusted CAs by default. For non-public facing services, using the default worldwide list of commcercial CAs offers little to no benefit. In fact it would degrade security, because as we've seen many times it only takes one rogue public CA to issues bad certs for a domain. For non-public services like libvirt's API it is thus preferrable to use a private CA and avoid public CAs's from the system trusted CA list entirely. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
