Re: [Spice-devel] problems with intermediate certificates

2014-08-27 Thread Christophe Fergeau
On Mon, Aug 25, 2014 at 04:09:56PM +, Dietmar Maurer wrote: > > To make sure I understand, you start with a Root CA which I assume you > > generated yourself and is self-signed? > > We use official certs from "StartCom Certification Authority" using > " StartCom Class 2 Primary Intermediate

Re: [Spice-devel] problems with intermediate certificates

2014-08-25 Thread Dietmar Maurer
> Also, do you account for intermediate CA in your setup? You have basically > two options how to handle it: > > 1) "standard": server-cert.pem should contain the whole chain of certificates > under root CA, e.g: > * Int. CA 1 > * Int. CA 2 > * server cert > you just cat them to the fi

Re: [Spice-devel] problems with intermediate certificates

2014-08-25 Thread Dietmar Maurer
> To make sure I understand, you start with a Root CA which I assume you > generated yourself and is self-signed? We use official certs from "StartCom Certification Authority" using " StartCom Class 2 Primary Intermediate Server CA" intermediate CA. But we just observed that the same setup wor

Re: [Spice-devel] problems with intermediate certificates

2014-08-25 Thread David Jaša
Hi Dietmar, do the certificate setup works for other TLS apps, such as web server/browser or just simple openssl s_(server|client)? Also, do you account for intermediate CA in your setup? You have basically two options how to handle it: 1) "standard": server-cert.pem should contain the whole cha

Re: [Spice-devel] problems with intermediate certificates

2014-08-25 Thread Christophe Fergeau
Hey, On Fri, Aug 22, 2014 at 08:22:22AM +, Dietmar Maurer wrote: > I use the following certificate files: > > # openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem > /etc/pve/local/pve-ssl.pem: OK > > I pass the content of /etc/pve/pve-root-ca.pem to virt-viewer: > [vi

Re: [Spice-devel] problems with intermediate certificates

2014-08-22 Thread Dietmar Maurer
> I think you must be able to "openssl verify" your file without specifying the > CAfile, if you want Spice ssl checks to pass. Sorry, but how should that work? For example: # cat server.pem intermediate_certificate.pem ca.pem >mix.pem So the file contains all needed certificates, but: # openss

Re: [Spice-devel] problems with intermediate certificates

2014-08-22 Thread Marc-André Lureau
Hi Dietmar - Original Message - > I use the following certificate files: > > # openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem > /etc/pve/local/pve-ssl.pem: OK > > I pass the content of /etc/pve/pve-root-ca.pem to virt-viewer: > [virt-viewer] > ca=-BEGIN CE

[Spice-devel] problems with intermediate certificates

2014-08-22 Thread Dietmar Maurer
I use the following certificate files: # openssl verify -CAfile /etc/pve/pve-root-ca.pem /etc/pve/local/pve-ssl.pem /etc/pve/local/pve-ssl.pem: OK I pass the content of /etc/pve/pve-root-ca.pem to virt-viewer: [virt-viewer] ca=-BEGIN CERTIFICATE-\nXX/Q=\n-END CERTIFICATE-\