To ensure that only trusted client applications have access to a server instance, configure the server instance to require client authentication:
Set the ssl-verify-peer-mode
configuration property to
verify-peer-require-peer-cert
.
Configure the server instance to use the system provided certificate authority (CA) store, a server specific CA store, or both.
Use these configuration properties to control the CA stores used by the server instance:
x509-ca-file-store
specifies a PEM-format CA store to authenticate clients.
x509-use-system-store
directs the server instance to use the system CA store to authenticate
clients.
Note
x509-use-system-store
does not work on
Windows.
Optionally configure the server instance to respect any certificate revocation lists (CRLs) in the CA store.
Specify this behavior by adding the x509-use-crl
property to the
server’s configuration. If this property is not specified, the server instance
ignores the CRLs and may authenticate clients using revoked credentials.
Caution
You must add a CRL list to the server’s CA store before adding the
x509-use-crl
property. If the CA store does not
include a CRL list, the server crashes.
This configuration excerpt configures a server instance to authenticate clients using the system CA store and to respect CRLs:
...
--https port
--x509-cert-chain ./x509/my-cert.pem
--x509-private-key ./x509/my-key.pem
--x509-passphrase ./x509/my-passphrase
--ssl-verify-peer-mode verify-peer-require-cert
--x509-use-system-store
--x509-use-crl
...
The server must be configured to use HTTPS in order to configure client authentication.
https
| x509-cert-chain
| x509-private-key