Este contenido no está disponible en el idioma seleccionado.
5.2. Remote Management Over TLS and SSL
You can manage virtual machines using TLS and SSL. TLS and SSL provides greater scalability but is more complicated than ssh (refer to Section 5.1, “Remote Management with SSH”). TLS and SSL is the same technology used by web browsers for secure connections. The
libvirt
management connection opens a TCP port for incoming connections, which is securely encrypted and authenticated based on x509 certificates. The procedures that follow provide instructions on creating and deploying authentication certificates for TLS and SSL management.
Procedure 5.1. Creating a certificate authority (CA) key for TLS management
- Before you begin, confirm that the
certtool
utility is installed. If not:#
yum install gnutls-utils
- Generate a private key, using the following command:
#
certtool --generate-privkey > cakey.pem
- Once the key generates, the next step is to create a signature file so the key can be self-signed. To do this, create a file with signature details and name it
ca.info
. This file should contain the following:#
vim ca.info
cn = Name of your organization ca cert_signing_key
- Generate the self-signed key with the following command:
#
certtool --generate-self-signed --load-privkey cakey.pem --template ca.info --outfile cacert.pem
Once the file generates, the ca.info file may be deleted using therm
command. The file that results from the generation process is namedcacert.pem
. This file is the public key (certificate). The loaded filecakey.pem
is the private key. This file should not be kept in a shared space. Keep this key private. - Install the
cacert.pem
Certificate Authority Certificate file on all clients and servers in the/etc/pki/CA/cacert.pem
directory to let them know that the certificate issued by your CA can be trusted. To view the contents of this file, run:#
certtool -i --infile cacert.pem
This is all that is required to set up your CA. Keep the CA's private key safe as you will need it in order to issue certificates for your clients and servers.
Procedure 5.2. Issuing a server certificate
This procedure demonstrates how to issue a certificate with the X.509 CommonName (CN)field set to the host name of the server. The CN must match the host name which clients will be using to connect to the server. In this example, clients will be connecting to the server using the URI:
qemu://mycommonname/system
, so the CN field should be identical, ie mycommoname.
- Create a private key for the server.
#
certtool --generate-privkey > serverkey.pem
- Generate a signature for the CA's private key by first creating a template file called
server.info
. Make sure that the CN is set to be the same as the server's host name:organization = Name of your organization cn = mycommonname tls_www_server encryption_key signing_key
- Create the certificate with the following command:
#
certtool --generate-certificate --load-privkey serverkey.pem --load-ca-certificate cacert.pem --load-ca-privkey cakey.pem \ --template server.info --outfile servercert.pem
- This results in two files being generated:
- serverkey.pem - The server's private key
- servercert.pem - The server's public key
Make sure to keep the location of the private key secret. To view the contents of the file, perform the following command:#
certtool -i --inifile servercert.pem
When opening this file theCN=
parameter should be the same as the CN that you set earlier. For example,mycommonname
. - Install the two files in the following locations:
serverkey.pem
- the server's private key. Place this file in the following location:/etc/pki/libvirt/private/serverkey.pem
servercert.pem
- the server's certificate. Install it in the following location on the server:/etc/pki/libvirt/servercert.pem
Procedure 5.3. Issuing a client certificate
- For every client (ie. any program linked with libvirt, such as virt-manager), you need to issue a certificate with the X.509 Distinguished Name (DN) set to a suitable name. This needs to be decided on a corporate level.For example purposes the following information will be used:
C=USA,ST=North Carolina,L=Raleigh,O=Red Hat,CN=name_of_client
This process is quite similar to Procedure 5.2, “Issuing a server certificate”, with the following exceptions noted. - Make a private key with the following command:
#
certtool --generate-privkey > clientkey.pem
- Generate a signature for the CA's private key by first creating a template file called
client.info
. The file should contain the following (fields should be customized to reflect your region/location):country = USA state = North Carolina locality = Raleigh organization = Red Hat cn = client1 tls_www_client encryption_key signing_key
- Sign the certificate with the following command:
#
certtool --generate-certificate --load-privkey clientkey.pem --load-ca-certificate cacert.pem \ --load-ca-privkey cakey.pem --template client.info --outfile clientcert.pem
- Install the certificates on the client machine:
#
cp clientkey.pem /etc/pki/libvirt/private/clientkey.pem
#cp clientcert.pem /etc/pki/libvirt/clientcert.pem