libvirt users - Dec 2018 - Add trusted CA to libvirt

Hello! I am trying to make libvirt trust one more CA. I suppose that when
libvirt establish connection, it doesn't take into account any system
trusted CAs. And in /etc/pki/CA according to the tutorial I have only one
CA installed. How can I add one more trusted CA for libvirt?

Best regards,
Nadezhda Mozolina

On Sat, Dec 08, 2018 at 03:02:22PM +0300, Мозолина, Надежда Викторовна
wrote:
> Hello! I am trying to make libvirt trust one more CA. I suppose that when
> libvirt establish connection, it doesn't take into account any system
> trusted CAs. And in /etc/pki/CA according to the tutorial I have only one
> CA installed. How can I add one more trusted CA for libvirt?
The cacert.pem file that libvirt loads is not restricted to a single CA.
That file can contain many CA certificates. Just concatenate all their
PEM format docs together and all will be loaded.

NB, we intentionally do not use any of the system trusted CAs by default.
For non-public facing services, using the default worldwide list of
commcercial CAs offers little to no benefit. In fact it would degrade
security, because as we've seen many times it only takes one rogue public
CA to issues bad certs for a domain. For non-public services like libvirt's
API it is thus preferrable to use a private CA and avoid public CAs's from
the system trusted CA list entirely.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|