-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
rhel-10.1
-
No
-
Moderate
-
rhel-virt-storage
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
None
..What were you trying to do that didn't work?
qemu-nbd with TLS exports image fails with Certificate $server-cert.pem usage does not permit key encipherment
Please provide the package NVR for which the bug is seen:
gnutls-3.8.10-2.el10.x86_64
crypto-policies-20250804-1.git2ca4115.el10.noarch
kernel-6.12.0-119.el10.x86_64
qemu-kvm-10.0.0-10.el10.x86_64
How reproducible is this bug?:
100%
Steps to reproduce
Step 1: Set Variables and Create Directories
First, define your variables and create the necessary directories for the certificates.
hostname="dell-per760-14.lab.eng.pek2.redhat.com"
host_ip="10.73.194.29"
server_dir="/etc/pki/qemu-nbd"
client_dir="/etc/pki/qemu-kvm"
#Delete and recreate directories to ensure a clean environment
sudo rm -rf "$server_dir" "$client_dir"
sudo mkdir -p "$server_dir" "$client_dir"
echo "Certificate directories created: $server_dir and $client_dir"
Step 2: Generate the Certificate Authority (CA) Key and Certificate
This step creates the root CA for your TLS environment.
#Generate the CA private key with ML-DSA-65 algorithm
sudo certtool --generate-privkey --key-type=mldsa65 > "$server_dir/ca-key.pem"
#Create the CA certificate information file
cat <<EOF | sudo tee "$server_dir/ca.info"
cn = $hostname
ca
cert_signing_key
EOF
#Generate the self-signed CA certificate
sudo certtool --generate-self-signed --load-privkey "$server_dir/ca-key.pem" \
--template "$server_dir/ca.info" --outfile "$server_dir/ca-cert.pem"
echo "CA key and certificate generated."
Step 3: Generate the Server Key and Certificate
This step generates the key and a signed certificate for your NBD server.
#Generate the server private key with ML-DSA-65 algorithm
sudo certtool --generate-privkey --key-type=mldsa65 > "$server_dir/server-key.pem"
#Create the server certificate information file
cat <<EOF | sudo tee "$server_dir/server.info"
organization = AUTOTEST.QEMU
cn = $hostname
dns_name = $hostname
ip_address = $host_ip
tls_www_server
encryption_key
signing_key
EOF
#Generate the server certificate signed by the CA
sudo certtool --generate-certificate --load-privkey "$server_dir/server-key.pem" \
--load-ca-certificate "$server_dir/ca-cert.pem" \
--load-ca-privkey "$server_dir/ca-key.pem" \
--template "$server_dir/server.info" --outfile "$server_dir/server-cert.pem"
echo "Server key and certificate generated."
Step 4: Generate the Client Key and Certificate
This step generates the key and a signed certificate for your NBD client.
#Copy the CA certificate and key to the client directory
sudo cp -rp "$server_dir/ca-cert.pem" "$client_dir/"
sudo cp -rp "$server_dir/ca-key.pem" "$client_dir/"
#Generate the client private key with ML-DSA-65 algorithm
sudo certtool --generate-privkey --key-type=mldsa65 > "$client_dir/client-key.pem"
#Create the client certificate information file
cat <<EOF | sudo tee "$client_dir/client.info"
organization = AUTOTEST.QEMU
cn = $hostname
tls_www_client
encryption_key
signing_key
EOF
#Generate the client certificate signed by the CA
sudo certtool --generate-certificate --load-privkey "$client_dir/client-key.pem" \
--load-ca-certificate "$client_dir/ca-cert.pem" \
--load-ca-privkey "$client_dir/ca-key.pem" \
--template "$client_dir/client.info" --outfile "$client_dir/client-cert.pem"
echo "Client key and certificate generated."
Step 5: Create the image and export it via nbd
#qemu-img create -f raw os.img 20G
#qemu-nbd -f raw --object tls-creds-x509,id=os_raw_server,endpoint=server,dir=/etc/pki/qemu-nbd --tls-creds os_raw_server os.img
qemu-nbd: Certificate /etc/pki/qemu-nbd/server-cert.pem usage does not permit key encipherment
Expected results
qemu-nbd exporting successes.
Actual results
As above.
- relates to
-
RHEL-111933 QEMU incorrectly enforces "key encipherment" key usage in x509 certificates
-
- New
-