NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

docs: expand docs on user x509 cert locations

Browse Source 
The layout in $HOME/.pki is different from that in /etc/pki
but we never tell anyone about this trap. Add docs showing
the required $HOME/.pki layout.
This commit is contained in:
Daniel P. Berrange 2016-09-15 14:47:59 +01:00
parent 921ec15fdb
commit c255bc7185
1 changed files with 34 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
docs/remote.html.in
View File

@ -419,7 +419,15 @@ next section.
<td> <td>
<code>/etc/pki/CA/cacert.pem</code> <code>/etc/pki/CA/cacert.pem</code>
</td> </td>
<td> Installed on all clients and servers </td> <td> Installed on the client and server </td>
<td> CA's certificate (<a href="#Remote_TLS_CA">more info</a>)</td>
<td> n/a </td>
</tr>
<tr>
<td>
<code>$HOME/.pki/cacert.pem</code>
</td>
<td> Installed on the client </td>
<td> CA's certificate (<a href="#Remote_TLS_CA">more info</a>)</td> <td> CA's certificate (<a href="#Remote_TLS_CA">more info</a>)</td>
<td> n/a </td> <td> n/a </td>
</tr> </tr>
@ -458,6 +466,25 @@ next section.
(<a href="#Remote_TLS_client_certificates">more info</a>) </td> (<a href="#Remote_TLS_client_certificates">more info</a>) </td>
<td> Distinguished Name (DN) can be checked against an access <td> Distinguished Name (DN) can be checked against an access
control list (<code>tls_allowed_dn_list</code>). control list (<code>tls_allowed_dn_list</code>).
</td>
</tr>
<tr>
<td>
<code>$HOME/.pki/libvirt/clientkey.pem</code>
</td>
<td> Installed on the client </td>
<td> Client's private key. (<a href="#Remote_TLS_client_certificates">more info</a>) </td>
<td> n/a </td>
</tr>
<tr>
<td>
<code>$HOME/.pki/libvirt/clientcert.pem</code>
</td>
<td> Installed on the client </td>
<td> Client's certificate signed by the CA
(<a href="#Remote_TLS_client_certificates">more info</a>) </td>
<td> Distinguished Name (DN) can be checked against an access
control list (<code>tls_allowed_dn_list</code>).
</td> </td>
</tr> </tr>
</table> </table>
@ -469,7 +496,7 @@ next section.
</p> </p>
<ul> <ul>
<li> For a non-root user, libvirt tries to find the certificates <li> For a non-root user, libvirt tries to find the certificates
in $HOME/.pki/libvirt. If the required CA certificate cannot in $HOME/.pki/libvirt first. If the required CA certificate cannot
be found, then the global default location be found, then the global default location
(/etc/pki/CA/cacert.pem) will be used. (/etc/pki/CA/cacert.pem) will be used.
Likewise, if either the client certificate Likewise, if either the client certificate
@ -477,7 +504,7 @@ next section.
locations (/etc/pki/libvirt/clientcert.pem, locations (/etc/pki/libvirt/clientcert.pem,
/etc/pki/libvirt/private/clientkey.pem) will be used. /etc/pki/libvirt/private/clientkey.pem) will be used.
</li> </li>
<li> For the root user, the global default locations will be used.</li> <li> For the root user, the global default locations will always be used.</li>
</ul> </ul>
<h4> <h4>
<a name="Remote_TLS_background">Background to TLS certificates</a> <a name="Remote_TLS_background">Background to TLS certificates</a>