From Spice



Spice supports SSL connections. The documentation in the user guide is adaquate to creating certificates using openssl, but doesn't go into length about using them.

TODO: All of this needs to go into an updated user manual.

There are two certificates, the server cert and the ca cert (certificate authority, the verifier of the server certificate). The ca is the only one that needs to be in sync between the client and server.

TODO: update this part for remote-viewer

spicec looks for %APPDATA%\spicec\spice_truststore.pem / $HOME/.spicec/spice_truststore.pem. This needs to be identical to the ca-cert.pem on the server, i.e. the ca used to sign the server certificate. The client will use this to authenticate the server.

The server has a number of flags (renamed but essentially the same as in the 0.4 user manual):

  • ca-cert
  • ca-crl - not really required?
  • server-cert
  • server-key

you can use the predefined names, in that case you only need to specify a single subdirectory parameter.

Example invocation


qemu -snapshot /images2/f14_alpha.raw -m 1024 -vga qxl -spice port=5913,tls-port=5914,disable-ticketing,x509-dir=/images2/pki_certs/,tls-channel=main,tls-channel=inputs

If your server key requires a passphrase you can provide it with the x509-key-password parameter (but since that will be visible from ps it is not recommended)


  • Copy ca-cert.pem to %APPDATA%\Roaming\spicec\spice_truststore.pem
  • Take SUBJECT from the server-cert.pem file:
  * SUBJECT=`openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "`
  • Run:

remote viewer (supported client)

remote-viewer --spice-ca-file=ca-cert.pem spice://localhost:5913?tls-port=5914 "--spice-host-subject=$SUBJECT"

Note: quoting is because of possible spaces in $SUBJECT

Note2: If there is no non-secure port (i.e. -spice tls-port=5914 only) then use the following uri: spice://localhost?tls-port=5914

spicec (Old deprecated client)

spicec -h host -p 5913 -s 5914 --secure-channels all --host-subject "$SUBJECT"

Certificate creation

Creating a self signed ca and signing a server certificate. the host-subject is the server certificate subject, not the ca's:

(In this example "C=IL,L=Raanana,O=Red Hat,CN=my server"

# creating a key for our ca
if [ ! -e ca-key.pem ]; then
    openssl genrsa -des3 -out ca-key.pem 1024
# creating a ca
if [ ! -e ca-cert.pem ]; then
    openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA"
# create server key
if [ ! -e $SERVER_KEY ]; then
    openssl genrsa -out $SERVER_KEY 1024
# create a certificate signing request (csr)
if [ ! -e server-key.csr ]; then
    openssl req -new -key $SERVER_KEY -out server-key.csr -utf8 -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server"
# signing our server certificate with this ca
if [ ! -e server-cert.pem ]; then
    openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
# now create a key that doesn't require a passphrase
openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
# show the results (no other effect)
openssl rsa -noout -text -in $SERVER_KEY
openssl rsa -noout -text -in ca-key.pem
openssl req -noout -text -in server-key.csr
openssl x509 -noout -text -in server-cert.pem
openssl x509 -noout -text -in ca-cert.pem