From: Sebastian Mitterle <smitterl@redhat.com>
Date: Thu, 7 Aug 2025 13:39:12 +0000 (+0200)
Subject: docs/tlscerts: mention dropped 'encryption_key'
X-Git-Tag: v11.7.0-rc1~23
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e43cf0a4ffe99220c11a8f831613ea0097b6cff;p=thirdparty%2Flibvirt.git

docs/tlscerts: mention dropped 'encryption_key'

Older libvirt versions still only work if 'encryption_key' is enabled
in the server and client certificates. Add a note.

Suggested-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Sebastian Mitterle <smitterl@redhat.com>
---

diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst
index 9063e17fce..c10ab11b7f 100644
--- a/docs/kbase/tlscerts.rst
+++ b/docs/kbase/tlscerts.rst
@@ -104,6 +104,18 @@ connect provided they have a valid certificate issued by the CA for their own IP
 address. You may want to change this to make it less (or more) permissive,
 depending on your needs.
 
+The following sections will describe how to created the data needed for the TLS
+setup. They use templates to create Certificate Authority, server and client
+certificates.
+
+Important: versions of libvirt before 11.6.0 also required the ``encryption_key``
+flag in the server and client template. This is no longer mandated since it is
+not applicable for use with many modern cryptographic algorithms, but it is
+harmless if present as it will be ignored. If compatibility with both old and
+new libvirt versions is required, then this extra flag must be added when
+creating the certificate.
+
+
 Setting up a Certificate Authority (CA)
 ---------------------------------------