Split mTLS client and CA certificates #33

New Issue

Closed

opened 2025-11-19 07:12:30 -06:00 by GiteaMirror · 0 comments

GiteaMirror commented 2025-11-19 07:12:30 -06:00

Owner

Copy Link

Originally created by @3nprob on GitHub (Jun 5, 2025).

Currently, mTLS configuring reads private key + cert + CAs from a single file.

This conflates the client and server CA(s).

• The local newt cert may be from a different CA that CAs that should be trusted for remote certs
  • We don't necessarily want to trust our own CA for remote certs
  • We may want to trust remote CAs that have no part in issuing the newt cert

Single-file bundle also a very commonly results in misconfiguration: Users will believe they need to include the CA for their own cert, as opposed to remote ones.

I suggest breaking up the configuration:

• Make CA certificate optional in --tls-client-cert file
• Add new configuration --tls-client-ca (can ideally be configured multiple times / a list to facilitate rotation without downtime)

Alternatively, deprecate tls-client-cert and add separate arguments for cert/key/cas.

Originally created by @3nprob on GitHub (Jun 5, 2025). Currently, mTLS configuring reads private key + cert + CAs from a single file. This conflates the client and server CA(s). - The local newt cert may be from a different CA that CAs that should be trusted for remote certs - We don't necessarily want to trust our own CA for remote certs - We may want to trust remote CAs that have no part in issuing the newt cert Single-file bundle also a very commonly results in misconfiguration: Users will believe they need to include the CA for their own cert, as opposed to remote ones. I suggest breaking up the configuration: - Make CA certificate optional in `--tls-client-cert` file - Add new configuration `--tls-client-ca` (can ideally be configured multiple times / a list to facilitate rotation without downtime) Alternatively, deprecate `tls-client-cert` and add separate arguments for cert/key/cas.

GiteaMirror added the good first issuehelp wanted labels 2025-11-19 07:12:30 -06:00

GiteaMirror closed this issue 2025-11-19 07:12:31 -06:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

msg-opt

dependabot/go_modules/prod-patch-updates-3194e6d214

dependabot/docker/minor-updates-1134f52710

ssh-agent

msg-delivery

icmp2

port-firewall

platform

hp-multi-client

holepunch

updown

1.10.2

v1.10.2

1.10.1

v1.10.1

1.10.0

v1.10.0

1.9.5

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

v1.9.0

1.8.1

v1.8.1

v1.8.0

1.8.0

1.8.0-rc.0

1.7.0

1.6.1

1.7.0-rc.0

1.6.0

v1.0.1

1.4.9

1.5.2

1.5.1

1.5.0

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

bug

enhancement

good first issue

help wanted

Improvement

pull-request

Mirrored from GitHub Pull Request

No Label good first issue help wanted

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/newt#33