[Spice-devel] Why is the CA certificate needed on the SPICE server?
Gerd Hoffmann
kraxel at redhat.com
Wed Sep 7 07:30:11 PDT 2011
On 09/07/11 16:17, Andrea Spadaccini wrote:
> Hi,
>
>>> I noticed that the SPICE server needs, apart from his key and
>>> certificate, also the certificate of the CA that signed its
>>> certificate.
>
>> You cannot verify a certificate if you don't have the certificate of the
>> authority who signed that certificate - which is the CA.
>
> But what is the point of verifying a certificate that resides on the
> server itself?
It's not required. spice-server will happily startup and operate just
fine without a ca certificate. I think it isn't used at all today.
That may change in the future in case spice gains x509 client
certificate support simliar to qemu's vnc server, then we'll obviously
need ca certificate(s) to verify the clients ...
cheers,
Gerd
More information about the Spice-devel
mailing list