extern/zrepl
1
0
Fork 0
mirror of https://github.com/zrepl/zrepl.git synced 2025-06-20 09:47:50 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add documentation regarding using a certificate chain

Browse Source
This commit is contained in:
Josh Souza 2019-01-22 10:09:24 -08:00
parent bb5278fe9b
commit f724480c7b
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/configuration/transports.rst
View File

@ -77,6 +77,8 @@ Connect
The ``tls`` transport uses TCP + TLS with client authentication using client certificates. The ``tls`` transport uses TCP + TLS with client authentication using client certificates.
The client identity is the common name (CN) presented in the client certificate. The client identity is the common name (CN) presented in the client certificate.
It is recommended to set up a dedicated CA infrastructure for this transport, e.g. using OpenVPN's `EasyRSA <https://github.com/OpenVPN/easy-rsa>`_. It is recommended to set up a dedicated CA infrastructure for this transport, e.g. using OpenVPN's `EasyRSA <https://github.com/OpenVPN/easy-rsa>`_.
When utilizing a CA infrastructure, provide a full chain certificate with the sender's certificate first in the list, with each following certificate directly certifying the one preceding it, per `TLS's specification<https://tools.ietf.org/html/rfc5246#section-7.4.2>`.
For a simple 2-machine setup, see the :ref:`instructions below<transport-tcp+tlsclientauth-2machineopenssl>`. For a simple 2-machine setup, see the :ref:`instructions below<transport-tcp+tlsclientauth-2machineopenssl>`.
The implementation uses `Go's TLS library <https://golang.org/pkg/crypto/tls/>`_. The implementation uses `Go's TLS library <https://golang.org/pkg/crypto/tls/>`_.