extern/zrepl
1
0
Fork 0
mirror of https://github.com/zrepl/zrepl.git synced 2024-11-24 17:35:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add documentation regarding using a certificate chain

Browse Source
This commit is contained in:
Josh Souza 2019-01-22 10:09:24 -08:00
parent bb5278fe9b
commit f724480c7b
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/configuration/transports.rst
View File

@ -77,6 +77,8 @@ Connect
The ``tls`` transport uses TCP + TLS with client authentication using client certificates.
The client identity is the common name (CN) presented in the client certificate.
It is recommended to set up a dedicated CA infrastructure for this transport, e.g. using OpenVPN's `EasyRSA <https://github.com/OpenVPN/easy-rsa>`_.
When utilizing a CA infrastructure, provide a full chain certificate with the sender's certificate first in the list, with each following certificate directly certifying the one preceding it, per `TLS's specification<https://tools.ietf.org/html/rfc5246#section-7.4.2>`.
For a simple 2-machine setup, see the :ref:`instructions below<transport-tcp+tlsclientauth-2machineopenssl>`.
The implementation uses `Go's TLS library <https://golang.org/pkg/crypto/tls/>`_.