CA证书创建
1.设置CA证书模版
# cat certificate_authority_template.info
cn = Name of your organization
ca
cert_signing_key
expiration_days = 700
2.生成CA私钥文件
certtool --generate-privkey > certificate_authority_key.pem
3.用CA私钥对模版文件certificate_authority_template.info 生成CA证书
# certtool --generate-self-signed \
--template certificate_authority_template.info \
--load-privkey certificate_authority_key.pem \
--outfile certificate_authority_certificate.pem
Generating a self signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 4c741265
Validity:
Not Before: Tue Aug 24 18:41:41 UTC 2010
Not After: Wed Aug 24 18:41:41 UTC 2011
Subject: CN=libvirt.org
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
d8:77:8b:59:97:7f:cc:cf:ff:71:4b:e6:ec:b2:0c:90
3d:42:5b:1c:fc:4a:44:b8:25:78:3b:e0:58:17:ae:7c
a7:5c:08:98:6b:47:57:ba:b5:b4:89:73:8a:41:ec:f4
6b:10:ed:ee:3f:41:b7:89:33:4f:a4:37:a7:ee:3b:73
2b:9f:6f:26:75:99:62:90:48:84:be:e1:de:61:25:bd
cc:7c:92:eb:c1:da:69:a7:9a:ae:38:95:e7:7c:64:a0
d5:9f:e3:3a:35:ae:1c:da:1e:87:a4:62:36:37:e1:11
96:e9:98:16:b8:72:82:30:dc:92:ac:16:e1:0a:af:da
34:d8:d0:aa:73:f7:7e:05:53:bc:ef:c6:d7:cb:a5:97
ec:b5:af:f9:7c:34:cb:cf:e7:b0:ce:fa:bf:ca:60:ea
4f:91:56:6c:a9:4f:f8:4a:45:20:c6:35:1b:68:02:9b
cc:9a:5f:d0:8a:62:de:ba:00:37:74:63:b2:a2:2c:e5
30:6b:69:ae:b2:30:be:39:09:1b:bb:6d:37:1c:a2:70
07:42:72:0e:35:5f:1e:c9:27:86:e8:b6:03:24:2c:e1
30:c3:94:60:6b:8b:ac:fa:fc:79:d8:40:88:1e:91:7f
30:e8:7e:2d:c1:23:41:97:02:57:33:02:30:4f:3d:a3
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
9512006c97dbdedbb3232a22cfea6b1341d72d76
Other Information:
Public Key Id:
9512006c97dbdedbb3232a22cfea6b1341d72d76
Signing certificate...
4.将CA证书certificate_authority_template.info 分别拷贝到主机上/etc/pki/CA/目录下,设置权限chmod 444 /etc/pki/CA/cacert.pem
为libvirt设置Tls server 端证书
5.设置server 端模版文件host1_server_template.info
# cat host1_server_template.info
organization = libvirt.org
cn = host1
tls_www_server
encryption_key
signing_key
6.创建server 端私钥文件
certtool --generate-privkey > host1_server_key.pem
- 使用CA证书+CA私钥+主机模版文件+ 主机server私钥,生成server主机证书host1_server_certificate.pem
# certtool --generate-certificate \
--template host1_server_template.info \
--load-privkey host1_server_key.pem \
--load-ca-certificate certificate_authority_certificate.pem \
--load-ca-privkey certificate_authority_key.pem \
--outfile host1_server_certificate.pem
Generating a signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 4c749699
Validity:
Not Before: Wed Aug 25 04:05:45 UTC 2010
Not After: Thu Aug 25 04:05:45 UTC 2011
Subject: O=libvirt.org,CN=host1
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
da:75:bd:37:ac:30:4a:6c:fe:8c:8b:d9:d8:f4:94:80
5e:48:68:31:e7:de:85:d3:d7:54:13:da:8d:d1:f1:21
3b:d9:f1:eb:86:0a:4e:59:39:2c:53:ee:3e:81:29:7d
e5:83:6b:bd:e9:86:93:7c:ce:a4:5b:37:b3:b6:6d:7a
7e:60:14:99:4a:23:18:e3:0f:ff:58:68:09:08:f3:0f
ca:76:0d:bc:76:e0:8b:38:93:42:f6:8f:b9:d6:4c:21
2a:0e:d9:cd:1c:33:04:36:a3:eb:97:6b:84:bc:88:16
8e:0b:80:46:ed:ce:c5:56:fe:3b:f7:32:a7:91:c3:1f
86:b7:49:77:7b:35:e7:f4:a6:7a:3c:c9:0d:60:fd:b2
b7:e7:d9:02:02:a5:ef:e9:0c:43:14:15:3b:ef:96:52
a6:f9:ca:d5:fc:c0:fb:a0:5a:1f:69:6f:ce:66:0c:fc
d5:42:86:85:7e:ab:24:15:3e:5b:a3:85:a1:3b:41:ec
11:7c:6c:3d:14:8b:a5:14:7a:7b:79:15:a0:f6:79:2f
30:a9:a1:6e:8c:5e:3a:97:af:8e:7c:c0:a4:1f:2a:32
8b:4f:6b:53:e4:f0:28:48:db:2b:4c:0d:94:95:56:f0
53:e8:0f:ad:1a:a5:cf:35:e4:e3:0c:a6:ba:85:8a:33
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Server.
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
6ddcfcc00a5ffe064a756d2623ea90fa20ff782c
Authority Key Identifier (not critical):
9512006c97dbdedbb3232a22cfea6b1341d72d76
Other Information:
Public Key Id:
6ddcfcc00a5ffe064a756d2623ea90fa20ff782c
Signing certificate...
这个分别生成了多个host主机证书
Tls_certtool_creates_server_certs.png
8.将server 证书放置/etc/pki/libvirt/servercert.pem,server私钥文件放置/etc/pki/libvirt/private/serverkey.pem,并分别设置文件权限
Server Certificate path: /etc/pki/libvirt/servercert.pem
Ownership: root:qemu
Permissions: u=r,g=r,o= (440)
SELinux label: system_u:object_r:cert_t:s0
Private Key for Server Certificate: /etc/pki/libvirt/private/serverkey.pem
Ownership: root:qemu
Permissions: u=r,g=r,o= (440)
SELinux label: system_u:object_r:cert_t:s0
为libvirt设置Tls client 端证书
9.创建客户端证书模版文件
# cat host1_client_template.info
country = AU
state = Queensland
locality = Brisbane
organization = libvirt.org
cn = host1
tls_www_client
encryption_key
signing_key
10.生成客户端私钥文件
certtool --generate-privkey > host1_client_key.pem
11.使用模版文件和私钥文件,生成客户端证书
# certtool --generate-certificate \
--template host1_client_template.info \
--load-privkey host1_client_key.pem \
--load-ca-certificate certificate_authority_certificate.pem \
--load-ca-privkey certificate_authority_key.pem \
--outfile host1_client_certificate.pem
Generating a signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 4c75e08c
Validity:
Not Before: Thu Aug 26 03:33:32 UTC 2010
Not After: Fri Aug 26 03:33:32 UTC 2011
Subject: C=AU,O=libvirt.org,L=Brisbane,ST=Queensland,CN=host1
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
a4:73:68:6d:b3:d2:5a:b8:82:78:ad:d7:69:5b:9f:92
a8:a1:1c:a7:a3:49:af:5b:a6:20:95:f6:e9:a2:80:88
85:a7:fb:72:a4:39:e1:b3:6c:9d:fb:3c:4a:97:02:dd
cf:46:e0:72:8a:cd:fc:44:30:d5:f0:b1:65:55:4d:a2
e8:7e:0c:c6:38:3d:b1:aa:d8:ff:e4:4e:fe:8a:c7:5e
e0:9c:b6:f6:4b:bd:9b:f1:b3:f1:48:b0:60:d8:ef:f4
f2:c8:50:94:92:80:54:fc:48:ef:bb:13:69:58:50:9f
fb:c9:e0:df:b2:2c:1c:3f:65:fa:d4:58:a5:18:dc:7a
12:0c:bc:ef:6f:fd:56:bc:e1:47:20:75:6b:4a:f9:f5
a3:b4:ab:ca:07:43:e1:2a:fa:47:2c:9a:ec:97:7c:7f
c7:3f:1a:d5:9a:c2:ad:57:5c:52:ed:70:42:8b:8c:a8
00:a4:c4:a7:84:56:09:fe:ad:c8:ed:92:70:7a:b2:d7
88:e4:36:7a:0f:76:ae:65:fc:e0:9b:29:f7:e3:f4:11
5e:b8:56:27:0f:6b:1b:bc:d2:29:3e:82:12:15:7d:e0
91:44:4e:6c:eb:e8:ed:92:68:4c:ce:49:d6:67:bc:23
fc:f6:18:e9:c1:0d:84:cd:99:36:f2:c9:4f:60:5d:f1
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
20a33ffc7ead1c61ea0890c0c30da0248c8fa80d
Authority Key Identifier (not critical):
9512006c97dbdedbb3232a22cfea6b1341d72d76
Other Information:
Public Key Id:
20a33ffc7ead1c61ea0890c0c30da0248c8fa80d
Signing certificate...
Tls_certtool_creates_three_client_certs.png
12.将client 证书放置在/etc/pki/libvirt/clientcert.pem.,私钥放置在/etc/pki/libvirt/private/clientkey.pem,并设置权限
Client Certificate path: /etc/pki/libvirt/clientcert.pem
Ownership: root:root
Permissions: u=r,g=,o= (400)
SELinux label: system_u:object_r:cert_t:s0
Private Key for Client Certificate: /etc/pki/libvirt/private/clientkey.pem
Ownership: root:root
Permissions: u=r,g=,o= (400)
SELinux label: system_u:object_r:cert_t:s0
配置libvirt进程使用TLS
- /etc/sysconfig/libvirtd 文件去掉注释#,#LIBVIRTD_ARGS="--listen",为LIBVIRTD_ARGS="--listen"
14.为了保护server 来自未授权的client访问,libvirtd.conf 文件配置允许的client 的TLS 连接,注意这里tls_allowed_dn_list不能设置空,会出现拒绝所有的client 连接
tls_allowed_dn_list = ["Client 1",
"Client 2",
"Client 3"]
15.然后重启libvirt,service libvirtd restart
