A.2 Generating x509 Client/Server Certificates

In order to be able to create x509 client and server certificates you need to issue them by a Certificate Authority (CA). It is recommended to set up an independent CA that only issues certificates for libvirt.

  1. Set up a CA as described in Section 17.2.1, Creating a Root CA, (↑Security Guide).

  2. Create a server and a client certificate as described in Section 17.2.4, Creating or Revoking User Certificates, (↑Security Guide). The Common Name (CN) for the server certificate must be the full qualified hostname, the Common Name for the client certificate can be freely chosen. For all other fields stick with the defaults suggested by YaST.

    Export the client and server certificates to a temporary location (for example, /tmp/x509/) by performing the following steps:

    1. Select the certificate on the certificates tab.

    2. Choose Export > Export to File > Certificate and the Key Unencrypted in PEM Format, provide the Certificate Password and the full path and the filename under File Name, for example, /tmp/x509/server.pem or /tmp/x509/client.pem.

    3. Open a terminal and change to the directory where you have saved the certificate and issue the following commands to split it into certificate and key (this example splits the server key):

      csplit -z -f s_ server.pem '/-----BEGIN/' '{1}'
             mv s_00 servercert.pem
             mv s_01 serverkey.pem
    4. Repeat the procedure for each client and server certificate you would like to export.

  3. Finally export the CA certificate by performing the following steps:

    1. Switch to the Description tab.

    2. ChooseAdvanced > Export to File > Only the Certificate in PEM Format and enter the full path and the filename under File Name, for example, /tmp/x509/cacert.pem.