From Fedora Project Wiki

Description

Setup

Make sure you have a guest, which could be started successfully

How to test

  1. force off the running guest
  2. go the guest detail pannel, remove the "Display VNC" device
  3. click the "Add Hardware" button at the left bottom
  4. Add "Graphics" -> Type "SPICE server"
  5. Check OFF the "Automatically allocation"
  6. Specify the Port to 5901 TLS port to 5902
  7. Click Finish , and back to guest detail overview panel, click Apply button
  8. modify the followings in /etc/libvirt/qemu.conf
    -# spice_tls = 1
    + spice_tls = 1
    
    -# spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
    + spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
    
  9. perform the following script, to generate the cert files for ssl , and then copy *.pem file info /etc/pkil/libvirt-spice directory
    #!/bin/bash
    
    SERVER_KEY=server-key.pem
    
    # creating a key for our ca
    if [ ! -e ca-key.pem ]; then
     openssl genrsa -des3 -out ca-key.pem 1024
    fi
    # creating a ca
    if [ ! -e ca-cert.pem ]; then
     openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem  -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
    fi
    # create server key
    if [ ! -e $SERVER_KEY ]; then
     openssl genrsa -out $SERVER_KEY 1024
    fi
    # create a certificate signing request (csr)
    if [ ! -e server-key.csr ]; then
     openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server"
    fi
    # signing our server certificate with this ca
    if [ ! -e server-cert.pem ]; then
     openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
    fi
    
    # now create a key that doesn't require a passphrase
    openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
    mv $SERVER_KEY $SERVER_KEY.secure
    mv $SERVER_KEY.insecure $SERVER_KEY
    
    # show the results (no other effect)
    openssl rsa -noout -text -in $SERVER_KEY
    openssl rsa -noout -text -in ca-key.pem
    openssl req -noout -text -in server-key.csr
    openssl x509 -noout -text -in server-cert.pem
    openssl x509 -noout -text -in ca-cert.pem
    
    # copy *.pem file to /etc/pki/libvirt-spice
    if [[ -d "/etc/pki/libvirt-spice" ]] 
    then
     cp ./*.pem /etc/pki/libvirt-spice
    else
     mkdir /etc/pki/libvirt-spice
         cp ./*.pem /etc/pki/libvirt-spice
    fi
    
    # echo --host-subject
    echo "your --host-subject is" \" `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "` \"
     
  10. restart libvirtd to rescan the configuration: service libvirtd restart
  11. Start the guest: virsh start <guest>
  12. Access the guest via following command line
    spicec -h 127.0.0.1 -p 5901 -s 5902 --host-subject "C=IL,L=Raanana,O=Red Hat,CN=my CA"

Expected Results

  1. Make sure you CAN access the spice interface via private 127.0.0.1 with TLS port set