diff options
| author | Daniel P. Berrange <berrange@redhat.com> | 2016-09-15 14:47:59 +0100 |
|---|---|---|
| committer | Daniel P. Berrange <berrange@redhat.com> | 2016-09-19 11:02:26 +0100 |
| commit | c255bc7185556800697a50c1c42d1bb333411526 (patch) | |
| tree | 8857b8a655804e255aa241a5b6f0329794985cb1 /docs/remote.html.in | |
| parent | 921ec15fdbf215e74f0898b0b8cf879db63ccb4b (diff) | |
| download | libvirt-c255bc7185556800697a50c1c42d1bb333411526.tar.gz | |
docs: expand docs on user x509 cert locations
The layout in $HOME/.pki is different from that in /etc/pki
but we never tell anyone about this trap. Add docs showing
the required $HOME/.pki layout.
Diffstat (limited to 'docs/remote.html.in')
| -rw-r--r-- | docs/remote.html.in | 41 |
1 files changed, 34 insertions, 7 deletions
diff --git a/docs/remote.html.in b/docs/remote.html.in index 9b132f13d7..4c3012f1b4 100644 --- a/docs/remote.html.in +++ b/docs/remote.html.in @@ -419,13 +419,21 @@ next section. <td> <code>/etc/pki/CA/cacert.pem</code> </td> - <td> Installed on all clients and servers </td> + <td> Installed on the client and server </td> <td> CA's certificate (<a href="#Remote_TLS_CA">more info</a>)</td> <td> n/a </td> </tr> <tr> <td> - <code>/etc/pki/libvirt/ private/serverkey.pem</code> + <code>$HOME/.pki/cacert.pem</code> + </td> + <td> Installed on the client </td> + <td> CA's certificate (<a href="#Remote_TLS_CA">more info</a>)</td> + <td> n/a </td> + </tr> + <tr> + <td> + <code>/etc/pki/libvirt/private/serverkey.pem</code> </td> <td> Installed on the server </td> <td> Server's private key (<a href="#Remote_TLS_server_certificates">more info</a>)</td> @@ -433,7 +441,7 @@ next section. </tr> <tr> <td> - <code>/etc/pki/libvirt/ servercert.pem</code> + <code>/etc/pki/libvirt/servercert.pem</code> </td> <td> Installed on the server </td> <td> Server's certificate signed by the CA. @@ -443,7 +451,26 @@ next section. </tr> <tr> <td> - <code>/etc/pki/libvirt/ private/clientkey.pem</code> + <code>/etc/pki/libvirt/private/clientkey.pem</code> + </td> + <td> Installed on the client </td> + <td> Client's private key. (<a href="#Remote_TLS_client_certificates">more info</a>) </td> + <td> n/a </td> + </tr> + <tr> + <td> + <code>/etc/pki/libvirt/clientcert.pem</code> + </td> + <td> Installed on the client </td> + <td> Client's certificate signed by the CA + (<a href="#Remote_TLS_client_certificates">more info</a>) </td> + <td> Distinguished Name (DN) can be checked against an access + control list (<code>tls_allowed_dn_list</code>). + </td> + </tr> + <tr> + <td> + <code>$HOME/.pki/libvirt/clientkey.pem</code> </td> <td> Installed on the client </td> <td> Client's private key. (<a href="#Remote_TLS_client_certificates">more info</a>) </td> @@ -451,7 +478,7 @@ next section. </tr> <tr> <td> - <code>/etc/pki/libvirt/ clientcert.pem</code> + <code>$HOME/.pki/libvirt/clientcert.pem</code> </td> <td> Installed on the client </td> <td> Client's certificate signed by the CA @@ -469,7 +496,7 @@ next section. </p> <ul> <li> For a non-root user, libvirt tries to find the certificates - in $HOME/.pki/libvirt. If the required CA certificate cannot + in $HOME/.pki/libvirt first. If the required CA certificate cannot be found, then the global default location (/etc/pki/CA/cacert.pem) will be used. Likewise, if either the client certificate @@ -477,7 +504,7 @@ next section. locations (/etc/pki/libvirt/clientcert.pem, /etc/pki/libvirt/private/clientkey.pem) will be used. </li> - <li> For the root user, the global default locations will be used.</li> + <li> For the root user, the global default locations will always be used.</li> </ul> <h4> <a name="Remote_TLS_background">Background to TLS certificates</a> |