Red Hat Bugzilla – Bug 529179
Better error messages for CA's certificates lacking basicConstraints=CA:TRUE extension
Last modified: 2012-04-17 10:22:18 EDT
Some products create certificates without the basicConstraints=CA:TRUE extension. This causes gnutls to treat the certificate as untrusted when libvirtd tries to validate it.
libvirtd: 17:17:21.919: error : remoteCheckCertificate: the client certificate is not trusted.
libvirtd: 17:17:21.919: error : remoteCheckCertificate: failed to verify client's certificate
while the error message is technically correct, it is not helpful for users trying to figure out what is wrong with their certs. It is very easy to create broken CA certs like this using openssl command line tool, so it would be better if libvirt could detect this particular scenario and log a more explicit messages.
eg the trouble cert shows
while a good cert shows
# Basic Constraints (critical):
# Certificate Authority (CA): TRUE
# Key Usage (critical):
# Certificate signing.
# Subject Key Identifier (not critical):
This patch adds such checking
Been upstream for a while