Generate Development Certificates
Cmdra requires mTLS. The daemon presents a server certificate, and each connecting client presents its own client certificate.
For local development, generate a small CA plus one server certificate and development client certificates:
./scripts/generate-dev-certs.sh dev/certs
This creates:
dev/certs/ca.crtdev/certs/server.crtdev/certs/server.keydev/certs/client-a.crtdev/certs/client-a.keydev/certs/client-b.crtdev/certs/client-b.key
What matters for validation
- Normal operation only requires one client certificate plus the server certificate.
- The extra
client-bcertificate is generated for authorization and cross-identity testing. - The server certificate should include DNS/IP SANs for the hostname or IP clients connect to when clients perform normal certificate verification.
- Client SANs are not required for this project because daemon-side authorization is keyed off certificate CN.
- Access control is configured with
--allowed-client-cn.
Minimal development layout
dev/certs/
ca.crt
server.crt
server.key
client-a.crt
client-a.key
client-b.crt
client-b.key