-
Notifications
You must be signed in to change notification settings - Fork 17
Certificate Recipes
RFC 9289 prescribes some requirements for x.509 certificates to be used for RPC-with-TLS. The NVMe TCP transport specification does not yet describe the use of x.509 certificates with TLS, but x.509 support is expected eventually.
This wiki article provides a few examples of how to create x.509 certificates for use with tlshd and RPC-with-TLS.
To use TLS with x.509, the server side must always have a certificate.
Without a certificate of its own, a client can use TLS, but only for encryption. When the client has a certificate of its own, it can request both encryption-only and encryption-plus-host-authentication.
Self-signed certificates are also supported, though their use places some limits on the capabilities of TLS.
NFS is the most common user of RPC-with-TLS.
When performing a mount, NFS clients identify the mounted NFS server either by its DNS hostname or by its IP address. Therefore a server certificate should contain the set of hostnames and IP addresses by which clients can mount. This is done by listing these in the certificate's subjectAltName field.