Hi @BenjiReis, the certificate procedure I posted yesterday isn't quite right and although the plugin will enable, TLS will not negotiate. My openssl.conf defaults to adding x509v3 attributes that breaks the TLS negotiation process.
Here's the correct procedure on Rocky Linux 9. Should work for most other recent Linux flavors.
Create a temporary directory to work in, and copy your OS's openssl.cnf file into it. Edit the [ v3_ca ] section so it only has the following 2 entries:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
Now create the CA (run all commands in your tmp directory). I am also now using 4096 bit strength:
openssl genrsa 4096 > ca-key.pem
openssl req -new -x509 -config ./openssl.cnf -nodes -days 365000 -key ca-key.pem -out ca-cert.pem
** The server certificate step in the previous post is not necessary so just skip it.
Now create a file called client_attr.cnf and put the following entries in it:
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
Now Create the client certificate:
openssl req -newkey rsa:4096 -nodes -keyout client-key.pem -out client-req.pem
openssl x509 -req -days 365000 -set_serial 01 -in client-req.pem -out client-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -extfile ./client_attr.cnf
The ca-cert.pem and client_cert.pem should now conform to the correct x509 format that will work with XOA and hence cross-server private networking.
Sorry for the incorrect procedure, it was a late night 🙂
Cheers.