5.2. Remote Management Over TLS and SSL

You can manage virtual machines using TLS and SSL. TLS and SSL provides greater scalability but is more complicated than ssh (refer to Section 5.1, “Remote Management with SSH”). TLS and SSL is the same technology used by web browsers for secure connections. The libvirt management connection opens a TCP port for incoming connections, which is securely encrypted and authenticated based on x509 certificates. The procedures that follow provide instructions on creating and deploying authentication certificates for TLS and SSL management.

Procedure 5.1. Creating a certificate authority (CA) key for TLS management

Before you begin, confirm that the certtool utility is installed. If not:
```
# yum install gnutls-utils
```
Generate a private key, using the following command:
```
# certtool --generate-privkey > cakey.pem
```
Once the key generates, the next step is to create a signature file so the key can be self-signed. To do this, create a file with signature details and name it ca.info. This file should contain the following:
```
# vim ca.info
```
```
cn = Name of your organization
ca
cert_signing_key
```
Generate the self-signed key with the following command:
```
# certtool --generate-self-signed --load-privkey cakey.pem --template ca.info --outfile cacert.pem
```
Once the file generates, the ca.info file may be deleted using the rm command. The file that results from the generation process is named cacert.pem. This file is the public key (certificate). The loaded file cakey.pem is the private key. This file should not be kept in a shared space. Keep this key private.
Install the cacert.pem Certificate Authority Certificate file on all clients and servers in the /etc/pki/CA/cacert.pem directory to let them know that the certificate issued by your CA can be trusted. To view the contents of this file, run:
```
# certtool -i --infile cacert.pem
```
This is all that is required to set up your CA. Keep the CA's private key safe as you will need it in order to issue certificates for your clients and servers.

Procedure 5.2. Issuing a server certificate

This procedure demonstrates how to issue a certificate with the X.509 CommonName (CN)field set to the host name of the server. The CN must match the host name which clients will be using to connect to the server. In this example, clients will be connecting to the server using the URI: qemu://mycommonname/system, so the CN field should be identical, ie mycommoname.

Create a private key for the server.

# certtool --generate-privkey > serverkey.pem

Generate a signature for the CA's private key by first creating a template file called server.info . Make sure that the CN is set to be the same as the server's host name:
```
organization = Name of your organization
cn = mycommonname
tls_www_server
encryption_key
signing_key
```

Create the certificate with the following command:

# certtool --generate-certificate --load-privkey serverkey.pem --load-ca-certificate cacert.pem --load-ca-privkey cakey.pem \ --template server.info --outfile servercert.pem

This results in two files being generated:
- serverkey.pem - The server's private key
- servercert.pem - The server's public key
Make sure to keep the location of the private key secret. To view the contents of the file, perform the following command:
```
# certtool -i --inifile servercert.pem
```
When opening this file the CN= parameter should be the same as the CN that you set earlier. For example, mycommonname.
Install the two files in the following locations:
- serverkey.pem - the server's private key. Place this file in the following location: /etc/pki/libvirt/private/serverkey.pem
- servercert.pem - the server's certificate. Install it in the following location on the server: /etc/pki/libvirt/servercert.pem

Procedure 5.3. Issuing a client certificate

For every client (ie. any program linked with libvirt, such as virt-manager), you need to issue a certificate with the X.509 Distinguished Name (DN) set to a suitable name. This needs to be decided on a corporate level.
For example purposes the following information will be used:
```
C=USA,ST=North Carolina,L=Raleigh,O=Red Hat,CN=name_of_client
```
This process is quite similar to Procedure 5.2, “Issuing a server certificate”, with the following exceptions noted.

Make a private key with the following command:

# certtool --generate-privkey > clientkey.pem

Generate a signature for the CA's private key by first creating a template file called client.info . The file should contain the following (fields should be customized to reflect your region/location):
```
country = USA
state = North Carolina
locality = Raleigh
organization = Red Hat
cn = client1
tls_www_client
encryption_key
signing_key
```

Sign the certificate with the following command:

# certtool --generate-certificate --load-privkey clientkey.pem --load-ca-certificate cacert.pem \ --load-ca-privkey cakey.pem --template client.info --outfile clientcert.pem

Install the certificates on the client machine:

# cp clientkey.pem /etc/pki/libvirt/private/clientkey.pem
# cp clientcert.pem /etc/pki/libvirt/clientcert.pem

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

5.2. Remote Management Over TLS and SSL

Where did the comment section go?