karimra
commented
5 months ago Could it be that the certificate is self signed and has basic constraint CA: true ?
Closed Kam0011 closed 3 months ago
karimra
commented
5 months ago Could it be that the certificate is self signed and has basic constraint CA: true ?
Kam0011
commented
5 months ago No its a CA signed certificate created via XCA tool. Suspecting that client is not checking whether --tls-ca is having CA certificate or server certificate. But command fails if i parse client certificate under --tls-ca. Same behavior found true for 3 -4 certs that i have created.
karimra
commented
5 months ago You are right, I will add an additional check for that.
orenhecht
commented
3 months ago Why is using a server certificate as a parameter for --tls-ca a problem?
If it also works for a CA certificate, why limit its usage?
We use self-signed certificates generated on the server, copy them to the client, and then use --tls-ca on the client to verify the certificate.
If it doesn't affect using a CA certificate, please do not change it. But if you do, please leave an option to use the server certificate.
Thanks
karimra
commented
3 months ago If you use a self signed certificate, that cert typically has Basic Contstraints: CA: True.
So using it with the --tls-ca flag will still work.
karimra
commented
3 months ago v0.37.0 will fail if the provided tls ca certificate does not include the basic constraint CA set to true
Created certificate with RSA4096 with SHA256 but while executing the gnmic command its working fine when i use server certificate in place of --tls-ca field.