[Spice-devel] [virt-tools-list] Where to put certificates for remote-viewer on windows [SOLVED, PARTIALLY]

Uri Lublin uril at redhat.com
Tue Aug 27 16:31:26 PDT 2013


On 08/26/2013 10:49 PM, Fernando Lozano wrote:
> Hi there,
>
> I partially solved my question. Describing it here so others can find 
> on the mailing list archives.
>
> That is, I solved only for remote-viewer on Windows. virt-viewer and 
> virsh still cannot connect using TLS.
>
>
>> I downloaded the latest virt-viewer installer for windows from 
>> fedorahosted.org (0.5.7) and wish to use spice+tls to access VM 
>> consoles from a Fedora machine.  I know my certificates are properly 
>> configured on the server side because I can connect from another 
>> Fedora machine using both remote-viewer and virsh.
>>
>> But on Windows it won't work. Virt-viewer was installed on the 
>> default location, so I guessed I had to put cacert.pem on:
>>
>> "C:\Program Files (x86)\VirtViewer\etc\pki\CA"
>>
>> and the client certificates on:
>>
>> "C:\Program Files (x86)\VirtViewer\etc\pki\libvirt"
>
> Connections to libvirtd and to a spice server use different TLS 
> setups. I was mistaken beliving it was ok on my Linux machines, the 
> fact was they were connecting using TLS to libvirtd but then using an 
> insecure spice connection to the guest consoles. The same setup solved 
> both Linux and windows issues regarding spice, but those info is not 
> easy to find.
>
> The CA certificate configured on the kvm host (saved as 
> "/etc/pki/CA/cacert.pem") has to be copied to 
> $HOME/.spicec/spice_trusstore.pem. A symbolic link also works fine.
>
> On Windows, you have to copy the CA cert "spice_trustore.pem" to 
> "C:\Users\<YourUser>\.spicec". Note Windows Explorer will refuse to 
> create a folder name starting with a dot, so you'll have to use the 
> Windows Command Prompt.
>
> Then you can use connection URLs like "spice://kvmhost?tls-port=5901" 
> and be assured you'll use only TLS connections to the spice display 
> (checked using netstat on both Linux server and Windows client).

Hi Fernando,

Thanks for sharing this.
Another option is to use the command line option 
--spice-ca-file=<ca-cert-pem-file>

Thanks,
     Uri.



More information about the Spice-devel mailing list