Create Certificates for libvirt TLS

In order to generate the needed certificates one can either use the gnutls utils, like proposed on the libvirt homepage or use openssl, like I did. The following script was written to ease the creation of the certificates. It will create and copy the certificates to the appropriate place for libvirt to use with default settings.

Ze Script

#!/bin/bash
### Script to create Certificates
### created by Benjamin Boerngen-Schmidt - www.boerngen-schmidt.de
BITS=2048
SUBJECT_CA="/C=DE/L=<CITY>/O=<ORGANIZATION>/CN=<CA NAME>"
SUBJECT_SERVER="/C=DE/L=<CITY>/O=<ORGANIZATION>/CN=<SERVER NAME FQDN>"
SUBJECT_CLIENT="/C=DE/L=<CITY>/O=<ORGANIZATION>/OU=virtualization/CN=<CLIENT NAME>"
USER="<USER>"
USER_DIR="/home/$USER"
USER_QEMU="libvirt-qemu"

### DO NOT CHANGE BELOW THIS LINE
rm *.pem *.csr
openssl genrsa -out cakey.pem $BITS
openssl req -new -x509 -days 1095 -key cakey.pem -out cacert.pem -sha256 \
        -subj $SUBJECT_CA
openssl genrsa -out serverkey.pem $BITS
openssl genrsa -out clientkey.pem $BITS
openssl req -new -key serverkey.pem -out serverkey.csr \
          -subj $SUBJECT_SERVER
openssl req -new -key clientkey.pem -out clientkey.csr \
          -subj $SUBJECT_CLIENT
openssl x509 -req -days 365 -in clientkey.csr -CA cacert.pem -CAkey cakey.pem \
          -set_serial 1 -out clientcert.pem
openssl x509 -req -days 365 -in serverkey.csr -CA cacert.pem -CAkey cakey.pem \
          -set_serial 94345 -out servercert.pem

stop libvirt-bin
echo "Remove current PKI"
rm -rf /etc/pki/CA
rm -rf /etc/pki/libvirt
rm -rf /etc/pki/libvirt-vnc
rm -rf /etc/pki/libvirt-spice

echo "Create new PKI"
mkdir -p /etc/pki/CA

echo "Copy Certificates"
cp cacert.pem /etc/pki/CA/.
mkdir -p /etc/pki/libvirt/private
cp servercert.pem /etc/pki/libvirt/.
cp serverkey.pem /etc/pki/libvirt/private/.
chmod -R o-rwx /etc/pki/libvirt/private
chown -R $USER_QEMU /etc/pki/libvirt
# VNC + SPICE
mkdir -p /etc/pki/{libvirt-vnc,libvirt-spice}
ln /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem
ln /etc/pki/libvirt/servercert.pem /etc/pki/libvirt-vnc/server-cert.pem
ln /etc/pki/libvirt/private/serverkey.pem /etc/pki/libvirt-vnc/server-key.pem
ln /etc/pki/CA/cacert.pem /etc/pki/libvirt-spice/ca-cert.pem
ln /etc/pki/libvirt/servercert.pem /etc/pki/libvirt-spice/server-cert.pem
ln /etc/pki/libvirt/private/serverkey.pem /etc/pki/libvirt-spice/server-key.pem

echo "Copy the Client Certificates"
rm -rf $USER_DIR/libvirt
mkdir -p $USER_DIR/libvirt/CA
cp cacert.pem $USER_DIR/libvirt/CA
mkdir -p $USER_DIR/libvirt/libvirt/
cp clientcert.pem $USER_DIR/libvirt/libvirt
mkdir -p $USER_DIR/libvirt/libvirt/private
cp clientkey.pem $USER_DIR/libvirt/libvirt/private
chmod -R o-rwx $USER_DIR/libvirt/libvirt/private
chown -R $USER $USER_DIR/libvirt
start libvirt-bin

Sources

Information was gathered from the following pages. I recommend reading them.

3 Comment

  1. ltjd says:

    I probably found a small bug in the script:
    openssl req -new -x509 -days 1095 -key cakey.pem -out cacert.pem -sha256 \
    -subj $SUBJECT

    $SUBJECT doesn’t exist, after changing this to $SUBJECT_CA the script seems to work.

  2. Benjamin says:

    Thanks for the notice. I’ll change it in the post.

  3. Thanks Benjamin for the nice lineup, had to fix it for my install a bit hence i am running from from source, still, the copy to client part was, what i was looking for for one of my scripts.

Schreibe einen Kommentar

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.