[Spice-devel] [virt-tools-list] Where to put certificates for remote-viewer on windows [SOLVED, PARTIALLY]
Uri Lublin
uril at redhat.com
Tue Aug 27 16:31:26 PDT 2013
On 08/26/2013 10:49 PM, Fernando Lozano wrote:
> Hi there,
>
> I partially solved my question. Describing it here so others can find
> on the mailing list archives.
>
> That is, I solved only for remote-viewer on Windows. virt-viewer and
> virsh still cannot connect using TLS.
>
>
>> I downloaded the latest virt-viewer installer for windows from
>> fedorahosted.org (0.5.7) and wish to use spice+tls to access VM
>> consoles from a Fedora machine. I know my certificates are properly
>> configured on the server side because I can connect from another
>> Fedora machine using both remote-viewer and virsh.
>>
>> But on Windows it won't work. Virt-viewer was installed on the
>> default location, so I guessed I had to put cacert.pem on:
>>
>> "C:\Program Files (x86)\VirtViewer\etc\pki\CA"
>>
>> and the client certificates on:
>>
>> "C:\Program Files (x86)\VirtViewer\etc\pki\libvirt"
>
> Connections to libvirtd and to a spice server use different TLS
> setups. I was mistaken beliving it was ok on my Linux machines, the
> fact was they were connecting using TLS to libvirtd but then using an
> insecure spice connection to the guest consoles. The same setup solved
> both Linux and windows issues regarding spice, but those info is not
> easy to find.
>
> The CA certificate configured on the kvm host (saved as
> "/etc/pki/CA/cacert.pem") has to be copied to
> $HOME/.spicec/spice_trusstore.pem. A symbolic link also works fine.
>
> On Windows, you have to copy the CA cert "spice_trustore.pem" to
> "C:\Users\<YourUser>\.spicec". Note Windows Explorer will refuse to
> create a folder name starting with a dot, so you'll have to use the
> Windows Command Prompt.
>
> Then you can use connection URLs like "spice://kvmhost?tls-port=5901"
> and be assured you'll use only TLS connections to the spice display
> (checked using netstat on both Linux server and Windows client).
Hi Fernando,
Thanks for sharing this.
Another option is to use the command line option
--spice-ca-file=<ca-cert-pem-file>
Thanks,
Uri.
More information about the Spice-devel
mailing list