What were you trying to do that didn't work?

TLS 1.3 server and client setup with ML-DSA

What is the impact of this issue to you?

We can't set up post-quantum security

Please provide the package NVR for which the bug is seen:

libvirt-11.4.0-1.el10

How reproducible is this bug?:

100%

Steps to reproduce

1. Follow the official steps as on https://libvirt.org/kbase/tlscerts.html but in the first step set the ML-DSA algorithm via

   certtool --generate-privkey --key-type=mldsa65

   (This requires gnutls-utils-3.8.9 which is already available in RHEL 10.1.)

2. # virt-pki-validate

3. From a client try to connect to the server

   # virsh -c qemu://<tls-secured-server>/system

Expected results

1. no failure in pki validation
2. the client can connect

Actual results

1. On server side and client side we see validation failure with message

   SERVER: Checking cert properties                                             : FAIL (Certificate /etc/pki/libvirt/servercert.pem usage does not permit key encipherment)

   and

   CLIENT: Checking cert properties                                             : FAIL (Certificate /etc/pki/libvirt/clientcert.pem usage does not permit key encipherment)
   

2. When trying to connect, client error message

   $ virsh -c qemu://<remote-ip>/system
   error: failed to connect to the hypervisor
   error: Certificate /etc/pki/libvirt/clientcert.pem usage does not permit key encipherment
   

Additional info

1. The error message indicates that "Key Encipherment" X.509v3 extension is missing, however, this in gnutls is handled with encryption_key which is part of the template
   1. Seems we need to update our docs (upstream) because "Key Encipherment" doesn't apply to other than RSA.
2. rhn-engineering-berrange hinted at this issue likely with the same root cause: https://www.google.com/url?q=https://gitlab.com/libvirt/libvirt/-/issues/691&sa=D&source=docs&ust=1750981919446369&usg=AOvVaw26WHLrxg6Cq9zcs3owKY40