Hi Michael, >> 1) The private key of the server (i.e., qemu-kvm) will be required to >> be passwordless, because if it is password-protected the password >> would have to be sent in clear via command line args -- a false >> security; > > Please don't forget to update “gnt-cluster renew-crypto”. There is > already code to generate X509 certificates.
I wouldn't create new certificates only for SPICE. The client only wants to have the certificate of the CA, and checks if the server certificate is signed by the CA it knows. So, are there some certs that I can use? Like node certs or even cluster certs? Moreover, I think that it's not useful to allow the user to use different certs, just use the ones we decide. Thanks, Andrea
