keylimectl: Fix agent add operation

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

Author: ansasaki

Cargo.lock

@@ -17,8 +17,10 @@ base64.workspace = true
 chrono.workspace = true
 clap.workspace = true
 config.workspace = true
+hex.workspace = true
 keylime.workspace = true
 log.workspace = true
+openssl.workspace = true
 pretty_env_logger.workspace = true
 reqwest.workspace = true
 reqwest-middleware.workspace = true

keylimectl/Cargo.toml

@@ -67,12 +67,12 @@ port = 8891
 # Path to client certificate file for mutual TLS authentication
 # Default: None (no client certificate)
 # Environment variable: KEYLIME_TLS__CLIENT_CERT
-client_cert = "/tmp/certs/client-cert.crt"
+client_cert = "/var/lib/keylime/cv_ca/client-cert.crt"
 
 # Path to client private key file for mutual TLS authentication
 # Default: None (no client key)
 # Environment variable: KEYLIME_TLS__CLIENT_KEY
-client_key = "/tmp/certs/client-private.pem"
+client_key = "/var/lib/keylime/cv_ca/client-private.pem"
 
 # Password for encrypted client private key (if applicable)
 # Default: None (no password)
@@ -82,13 +82,13 @@ client_key = "/tmp/certs/client-private.pem"
 # List of trusted CA certificate file paths for server verification
 # Default: [] (empty list - uses system CA store)
 # Environment variable: KEYLIME_TLS__TRUSTED_CA (comma-separated)
-trusted_ca = ["/tmp/certs/cacert.crt"]
+trusted_ca = ["/var/lib/keylime/cv_ca/cacert.crt"]
 
 # Whether to verify server certificates
 # Default: true
 # Environment variable: KEYLIME_TLS__VERIFY_SERVER_CERT
 # WARNING: Only disable for testing - never in production!
-verify_server_cert = false
+verify_server_cert = true
 
 # Whether to enable mutual TLS for agent communications
 # Default: true
@@ -228,4 +228,4 @@ max_retries = 3
 # 7. ~/.keylimectl.toml (user-specific)
 # 8. $XDG_CONFIG_HOME/keylime/keylimectl.conf (XDG standard)
 #
-# If no configuration files are found, keylimectl works with defaults.
+# If no configuration files are found, keylimectl works with defaults.

keylimectl/keylimectl.conf

@@ -165,8 +165,15 @@ impl BaseClient {
         }
 
         // Add trusted CA certificates for server verification
+        debug!(
+            "Attempting to load {} trusted CA certificate(s)",
+            config.tls.trusted_ca.len()
+        );
+        let mut loaded_cas = 0;
         for ca_path in &config.tls.trusted_ca {
+            debug!("Checking CA certificate: {ca_path}");
             if std::path::Path::new(ca_path).exists() {
+                debug!("CA certificate file exists, attempting to load: {ca_path}");
                 let ca_cert = std::fs::read(ca_path).map_err(|e| {
                     ClientError::Tls(TlsError::ca_certificate_file(
                         ca_path,
@@ -183,10 +190,15 @@ impl BaseClient {
                     })?;
 
                 builder = builder.add_root_certificate(ca_cert);
+                loaded_cas += 1;
+                debug!("Successfully loaded CA certificate: {ca_path}");
             } else {
                 warn!("Trusted CA certificate file not found: {ca_path}");
             }
         }
+        debug!(
+            "Loaded {loaded_cas} CA certificate(s) for server verification"
+        );
 
         // Add client certificate if configured
         if let (Some(cert_path), Some(key_path)) =