Configuring OpenSSL for KVM/libvirtd on Ubuntu 16.04.2 LTS server
 

After whacking around for years using VirtualBox on Linux, OS X and Windows hosts, I'm trying to learn KVM on Ubuntu 16.04.2 LTS server. I've got it installed and running on a physical host, and virt-manager works well in accessing it via SSH. I've got my public key on the server ("vmserver"), and can access it from my Macbook, Windows and Linux laptops.

What I'd like to do is enable TLS on the server, and that's where I'm stumbling. I need TLS to be able to pass thru a reverse web proxy & firewall (blocks port 22). There's a great tutorial at libvirt.org's website, but it's geared toward gnutls rather than openssl, and gnutls saves certs in different locations than openssl does, plus it seems that there's also differences between RHEL/CentOS cert locations and Ubuntu's.

What is the actual industry "best practice" for the location of ssl/tls certs on an Ubuntu 16.04 LTS KVM host server? /etc/ssl, or /etc/pki, or /etc/pki/libvirt?