From Spice
Spice supports SSL connections. The documentation in the user guide is adaquate to creating certificates using openssl, but doesn't go into length about using them.
TODO: All of this needs to go into an updated user manual.
There are two certificates, the server cert and the ca cert. The ca is the only one that needs to be in sync between the client and server.
spicec looks for %APPDATA%\spicec\spice_truststore.pem / $HOME/.spice/spice_truststore.pem. This needs to be identical to the ca-cert.pem on the server, i.e. the ca used to sign the server certificate. The client will use this to authenticate the server.
The server has a number of flags (renamed but essentially the same as in the 0.4 user manual):
- ca-cert
- ca-crl - not really required?
- server-cert
- server-key
you can use the predefined names, in that case you only need to specify a single subdirectory parameter.
Example invocation:
qemu -snapshot /images2/f14_alpha.raw -m 1024 -vga qxl -spice port=5913,tls-port=5914,disable-ticketing,x509-dir=/images2/pki_certs/,tls-channel=main,tls-channel=inputs
If your server key requires a passphrase you can provide it with the x509-key-password parameter (but since that will be visible from ps it is not recommended)
Client:
- Copy ca-cert.pem to %APPDATA%\Roaming\spicec\spice_truststore.pem
- Take SUBJECT from the server-cert.pem file:
* SUBJECT=`openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "`
- Run:
spicec -h host -p 5913 -s 5914 --secure-channels all --host-subject $SUBJECT
Creating a self signed ca and signing a server certificate. the host-subject is the server certificate subject, not the ca's:
(In this example "C=IL,L=Raanana,O=Red Hat,CN=my server"
#!/bin/bash
SERVER_KEY=server-key.pem
# creating a key for our ca
if [ ! -e ca-key.pem ]; then
openssl genrsa -des3 -out ca-key.pem 1024
fi
# creating a ca
if [ ! -e ca-cert.pem ]; then
openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
fi
# create server key
if [ ! -e $SERVER_KEY ]; then
openssl genrsa -out $SERVER_KEY 1024
fi
# create a certificate signing request (csr)
if [ ! -e server-key.csr ]; then
openssl req -new -key $SERVER_KEY -out server-key.csr -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server"
fi
# signing our server certificate with this ca
if [ ! -e server-cert.pem ]; then
openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
fi
# now create a key that doesn't require a passphrase openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure mv $SERVER_KEY $SERVER_KEY.secure mv $SERVER_KEY.insecure $SERVER_KEY
# show the results (no other effect) openssl rsa -noout -text -in $SERVER_KEY openssl rsa -noout -text -in ca-key.pem openssl req -noout -text -in server-key.csr openssl x509 -noout -text -in server-cert.pem openssl x509 -noout -text -in ca-cert.pem
