Difference between certificate in `lxc info` and client.crt

Hello everyone,

for the setup of a new LXD server with TLS authentification I chose to add client certificates manually via lxc config trust add client.crt.

This requires that new users have to send me their (auto-generated) client certificate. The client certificate can be found in ~/snap/lxd/current/.config/lxc/client.crt. For apt installation I guess it can be found in ~/.config/lxc/client.crt.

However, I noticed that the output of lxc info shows another certificate that is different from client.crt. What is the use case of the certificate shown in lxc info?

lxc info shows the server certificate, so server.crt or cluster.crt from /var/snap/lxd/common/lxd/

1 Like

Hello @stgraber,

thank you for explaining the difference between both certificates. I’ve used a LXD client for testing purposes also as a server. That might be the reason for the server certificate shown in lxc info.

Your clarification will help to formulate user instructions correctly.

The client certificate isn’t here… I’m trying to find it.

cat ~/snap/lxd/current/.config/lxc/client.crt
cat: /home/erik/snap/lxd/current/.config/lxc/client.crt: No such file or directory

These days it’s at ~/snap/lxd/common/config/client.crt

1 Like

My client has been installed with “apt” and there is no cert in “~/.config/lxc/client.crt”

How can I manually create a certificate and add it to lxc such as that it will find the certificate and that I can also add it to a remote?

[UPDATE]: As I browsed through github issues, I saw that by running:

lxc add remote

Will (re) create a client certificate in: $HOME/.config/lxc/client.crt

This is true for the “apt” installation of lxc.

Would it make sense to introduce perhaps a “lxc certificate” command? It makes little sense to me at lease to (re)create a client certificate/key only as part of a remote add.