[gnutls-help] certtool - key encipherment (X.509v3 extension)

Tobias --- tobbe.se at gmail.com
Sun Dec 13 21:34:20 CET 2015


I'm trying to create a certificate that contains the necessary options to
let libvirtd service work to as intended with remote control over TLS.

I have created my own CA using certtool and the problem that I'm having is
with the server certificate.
The template that I'm using when I create the CSR is as follows:

organization = "Local libvirtd"
unit = "libvirtd server"
cn = "oink"
country = "SE"
state = "Sweden"
expiration_days = 1095

I've also tried to make certtool honour the extensions which it does to a
certain degree. The "encryption_key" is not honored even if I try to
enforce it using the "honour_crq_extensions" option as well as using the
above template when I sign the CSR with the CA. The resulting PEM-encoded
certificate generates the following error during startup of libvirtd:

dec 13 20:58:20 oink libvirtd[15630]: Certificate
/etc/pki/libvirt/servercert.pem usage does not permit key encipherment

When I verify the certificates then I get no indications that something is
missing. When I inspect the certificates then the encryption_key extension
is missing and the only options that show up in the certificate are the
tls_www_server and signing_key options. I'm trying to use encryption_key
because libvirtd expects it and the manual for libvirtd also indicates that
it's needed ( http://libvirt.org/remote.html ).

I am able to get around this issue by telling libivirtd to skip sanity
check of its own certificates, but the missing key encipherment usage
option in the certificate is missing.

Is this behaviour expected?

The current version of certtool is 3.4.7, running on a up-to-date install
of Arch Linux.

Thanks in advance,
Tobias Dahlberg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20151213/1c66b421/attachment.html>

More information about the Gnutls-help mailing list