-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-10.1
-
None
-
No
-
None
-
rhel-virt-core
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
qemu-kvm-10.0.0-10.el10.x86_64
$ cat ca.info
cn = ACME Corp
ca
cert_signing_key
$ cat local.info
cn = localhost
dns_name = localhost
dns_name = localhost.localdomain
ip_address = 127.0.0.1
tls_www_server
signing_key
$ cat create.sh
#!/bin/sh
certtool --generate-privkey > ca-key.pem
certtool --generate-privkey > server-key.pem
certtool --generate-self-signed \
--load-privkey ca-key.pem \
--template ca.info \
--outfile ca-cert.pem
certtool --generate-certificate \
--load-privkey server-key.pem \
--load-ca-certificate ca-cert.pem \
--load-ca-privkey ca-key.pem \
--template local.info \
--outfile server-cert.pem
$ ./create.sh
$ qemu-system-x86_64 -object tls-creds-x509,id=tls0,dir=`pwd`,endpoint=server
qemu-system-x86_64: Certificate /var/home/berrange/tls/old/server-cert.pem usage does not permit key encipherment
Historically we expected 'key encipherment' to be listed as a usage via the 'encryption_key' flag in the gnutls .info files.
This was deprecated for elliptic curve keys, and thus gnutls ignores the request when creating keys for anything other than DSA / GOST algorithms even if 'encryption_key' flag is set.
This QEMU check thus prevents EC based certs being used, and likewise will impact PQC certs, so must be removed.
- is related to
-
-
- Planning
-
