Make sure you have a guest, which could be started successfully

How to test

  1. force off the running guest
  2. go the guest detail pannel, remove the "Display VNC" device
  3. click the "Add Hardware" button at the left bottom
  4. Add "Graphics" -> Type "SPICE server"
  5. Check OFF the "Automatically allocation"
  6. Specify the Port to 5901 TLS port to 5902
  7. Click Finish , and back to guest detail overview panel, click Apply button
  8. modify the followings in /etc/libvirt/qemu.conf
    -# spice_tls = 1
    + spice_tls = 1
    -# spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
    + spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
  9. perform the following script, to generate the cert files for ssl , and then copy *.pem file info /etc/pkil/libvirt-spice directory
    # creating a key for our ca
    if [ ! -e ca-key.pem ]; then
     openssl genrsa -des3 -out ca-key.pem 1024
    # creating a ca
    if [ ! -e ca-cert.pem ]; then
     openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem  -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
    # create server key
    if [ ! -e $SERVER_KEY ]; then
     openssl genrsa -out $SERVER_KEY 1024
    # create a certificate signing request (csr)
    if [ ! -e server-key.csr ]; then
     openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server"
    # signing our server certificate with this ca
    if [ ! -e server-cert.pem ]; then
     openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
    # now create a key that doesn't require a passphrase
    openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
    mv $SERVER_KEY $
    mv $SERVER_KEY.insecure $SERVER_KEY
    # show the results (no other effect)
    openssl rsa -noout -text -in $SERVER_KEY
    openssl rsa -noout -text -in ca-key.pem
    openssl req -noout -text -in server-key.csr
    openssl x509 -noout -text -in server-cert.pem
    openssl x509 -noout -text -in ca-cert.pem
    # copy *.pem file to /etc/pki/libvirt-spice
    if [[ -d "/etc/pki/libvirt-spice" ]] 
     cp ./*.pem /etc/pki/libvirt-spice
     mkdir /etc/pki/libvirt-spice
         cp ./*.pem /etc/pki/libvirt-spice
    # echo --host-subject
    echo "your --host-subject is" \" `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "` \"
  10. restart libvirtd to rescan the configuration: service libvirtd restart
  11. Start the guest: virsh start <guest>
  12. Access the guest via following command line
    spicec -h -p 5901 -s 5902 --host-subject "C=IL,L=Raanana,O=Red Hat,CN=my CA"

Expected Results

  1. Make sure you CAN access the spice interface via private with TLS port set