[GH-ISSUE #54] Split mTLS client and CA certificates #2003

New Issue

Closed

opened 2026-05-03 05:41:47 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-05-03 05:41:47 -05:00

Owner

Copy Link

Originally created by @3nprob on GitHub (Jun 5, 2025).
Original GitHub issue: https://github.com/fosrl/newt/issues/54

Currently, mTLS configuring reads private key + cert + CAs from a single file.

This conflates the client and server CA(s).

• The local newt cert may be from a different CA that CAs that should be trusted for remote certs
  • We don't necessarily want to trust our own CA for remote certs
  • We may want to trust remote CAs that have no part in issuing the newt cert

Single-file bundle also a very commonly results in misconfiguration: Users will believe they need to include the CA for their own cert, as opposed to remote ones.

I suggest breaking up the configuration:

• Make CA certificate optional in --tls-client-cert file
• Add new configuration --tls-client-ca (can ideally be configured multiple times / a list to facilitate rotation without downtime)

Alternatively, deprecate tls-client-cert and add separate arguments for cert/key/cas.

Originally created by @3nprob on GitHub (Jun 5, 2025). Original GitHub issue: https://github.com/fosrl/newt/issues/54 Currently, mTLS configuring reads private key + cert + CAs from a single file. This conflates the client and server CA(s). - The local newt cert may be from a different CA that CAs that should be trusted for remote certs - We don't necessarily want to trust our own CA for remote certs - We may want to trust remote CAs that have no part in issuing the newt cert Single-file bundle also a very commonly results in misconfiguration: Users will believe they need to include the CA for their own cert, as opposed to remote ones. I suggest breaking up the configuration: - Make CA certificate optional in `--tls-client-cert` file - Add new configuration `--tls-client-ca` (can ideally be configured multiple times / a list to facilitate rotation without downtime) Alternatively, deprecate `tls-client-cert` and add separate arguments for cert/key/cas.

GiteaMirror added the good first issuehelp wanted labels 2026-05-03 05:41:47 -05:00

GiteaMirror closed this issue 2026-05-03 05:41:49 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/go_modules/prod-patch-updates-6805a9e229

dependabot/go_modules/golang.zx2c4.com/wireguard/windows-1.0.1

dependabot/docker/minor-updates-1134f52710

dev

fix-nix

dependabot/github_actions/actions/setup-go-6.4.0

dependabot/github_actions/docker/build-push-action-7.1.0

dependabot/github_actions/aws-actions/configure-aws-credentials-6.1.0

dependabot/github_actions/softprops/action-gh-release-3.0.0

logging-provision

1.12.3

1.12.2

v1.12.2

1.12.1

v1.12.1

1.12.0

v1.12.0

v1.12.0-rc.1

1.12.0-rc.0

1.11.0

v1.11.0

1.10.4

1.10.3

v1.10.3

1.10.2

v1.10.2

1.10.1

v1.10.1

1.10.0

v1.10.0

1.9.5

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

v1.9.0

1.8.1

v1.8.1

v1.8.0

1.8.0

1.8.0-rc.0

1.7.0

1.6.1

1.7.0-rc.0

1.6.0

v1.0.1

1.4.9

1.5.2

1.5.1

1.5.0

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

bug

dependencies

enhancement

good first issue

help wanted

Improvement

needs investigating

pull-request

Mirrored from GitHub Pull Request

stale

wontfix

No Label good first issue help wanted

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/newt#2003