Expand description
Helpers to configure the mTLS connection authentication.
mTLS configuration for greenlight clients. Clients are authenticated by presenting a valid mTLS certificate to the node. Each node has its own CA. This CA is used to sign both the device certificates, as well as the node certificate itself. This ensures that only clients that are authorized can open a connection to the node.
Structs§
- TlsConfig
- In order to allow the clients to talk to the
crate::scheduler::Schedulera default certificate and private key is included in this crate. The only service endpoints that can be contacted with thisNOBODYidentity are [Scheduler.register] and [Scheduler.recover], as these are the endpoints that are used to prove ownership of a node, and returning valid certificates if that proof succeeds.
Functions§
- generate_
ecdsa_ key_ pair - generate_
self_ signed_ device_ cert - Generate a new device certificate from a fresh set of keys. The path in the common name (CN) field is “/users/{node_id}/{device}”. This certificate is self signed and needs to be signed off by the users certificate authority to be valid. This certificate can not act as a ca and sign sub certificates. It can take an optional key pair to create the certificate from instead of generating a key pair from scratch.