Applies to openSUSE Leap 42.1

B Appendix

B.1 Generating x509 Client/Server Certificates

To be able to create x509 client and server certificates you need to issue them by a Certificate Authority (CA). It is recommended to set up an independent CA that only issues certificates for libvirt.

  1. Set up a CA as described in Book “Security Guide”, Chapter 17 “Managing X.509 Certification”, Section 17.2.1 “Creating a Root CA”.

  2. Create a server and a client certificate as described in Book “Security Guide”, Chapter 17 “Managing X.509 Certification”, Section 17.2.4 “Creating or Revoking User Certificates”. The Common Name (CN) for the server certificate must be the fully qualified host name, while the Common Name for the client certificate can be freely chosen. For all other fields stick with the defaults suggested by YaST.

    Export the client and server certificates to a temporary location (for example, /tmp/x509/) by performing the following steps:

    1. Select the certificate on the certificates tab.

    2. Choose Export › Export to File › Certificate and the Key Unencrypted in PEM Format, provide the Certificate Password and the full path and the file name under File Name, for example, /tmp/x509/server.pem or /tmp/x509/client.pem.

    3. Open a terminal and change to the directory where you have saved the certificate and issue the following commands to split it into certificate and key (this example splits the server key):

      csplit -z -f s_ server.pem '/-----BEGIN/' '{1}'
             mv s_00 servercert.pem
             mv s_01 serverkey.pem
    4. Repeat the procedure for each client and server certificate you would like to export.

  3. Finally export the CA certificate by performing the following steps:

    1. Switch to the Description tab.

    2. Choose Advanced › Export to File › Only the Certificate in PEM Format and enter the full path and the file name under File Name, for example, /tmp/x509/cacert.pem.

Print this page