Quick question: why must the key of client certificates be known on both the server-node the client connects to, as well as by the client that initiates the connection? I’m by no means an expert on cryptography, but with any other authentication that uses key/certificate based authentication the secret key is only required for the identifying party. So for me this seems a bit strange.
Each cert is only used once for the server and once for the client.
For example, if you take a look at this guide, you’ll see that you are asked to create a CA cert and key, Node certs and keys, and Client certs and keys, and they all end up in one folder. The server only needs the CA cert and the Node cert and key; the client just needs the CA cert and the Client cert and key.
Does this help?
The server only needs the CA cert and the Node cert and key; the client just needs the CA cert and the Client cert and key.
Yes that’s what I expected. But you’re saying something else here:
create a CA cert and key, Node certs and keys, and Client certs and keys, and they all end up in one folder
That’s the part I don’t understand. Why put client keys in the node certs folder? The node should only have the cert, not the key.
For easy rapid setup, when we created our documentation on certs, we had all of the certs and keys stored in one folder. This does not mean that the nodes are using the key or that the certs are being used elsewhere, this was done for simplicities sake, but all certs and keys are used accordingly. On a live production deployment it is absolutely possible and encouraged, to have the certs and keys in separate folders.