Skip to content

Split mTLS client and CA certificates handling for improved TLS configuration#98

Closed
Pallavikumarimdb wants to merge 6 commits intofosrl:devfrom
Pallavikumarimdb:feat/Split-mTLS-client-and-CA-certificates
Closed

Split mTLS client and CA certificates handling for improved TLS configuration#98
Pallavikumarimdb wants to merge 6 commits intofosrl:devfrom
Pallavikumarimdb:feat/Split-mTLS-client-and-CA-certificates

Conversation

@Pallavikumarimdb
Copy link
Contributor

@Pallavikumarimdb Pallavikumarimdb commented Aug 4, 2025

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

This PR introduces a clearer separation between the mTLS client certificate/key and the CA certificate for the Newt service. The previous implementation used a single certificate path for both client authentication and CA verification. This change introduces the following:

  • --tls-client-cert-file: Path to the client certificate used for mTLS
  • --tls-client-key: Path to the private key associated with the client certificate
  • --tls-client-ca: Path to the CA certificate used to verify the server

Changes made:

  • Added three new CLI flags for TLS client certificate, key, and CA.
  • Ensured backward compatibility by not removing any existing functionality.

How to test?

Testing:

  • Local Docker environment used to simulate mTLS using generated client.key, client.crt, and ca.crt.
  • Verified failure when invalid paths are passed and success with correct certs.
  • Confirmed mutual TLS handshake is successful with valid certs.

Closes #54

dependabot bot and others added 6 commits July 29, 2025 16:39
@dependabot
Bump github.com/docker/docker in the prod-patch-updates group
e1ddad0 
Bumps the prod-patch-updates group with 1 update: [github.com/docker/docker](https://github.com/docker/docker).


Updates `github.com/docker/docker` from 28.3.2+incompatible to 28.3.3+incompatible
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](moby/moby@v28.3.2...v28.3.3)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-version: 28.3.3+incompatible
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-patch-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@firecat53
Update flake.nix to 1.4.0
9e73aab
@oschwartz10612
Merge pull request fosrl#96 from firecat53/main
a0f0b67 
Update flake.nix to 1.4.0
@oschwartz10612
Merge pull request fosrl#95 from fosrl/dependabot/go_modules/prod-pat…
3ccd755 
…ch-updates-e08645070f

Bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible in the prod-patch-updates group
@oschwartz10612
Stop sending requests when you get a terminate
151d0e3
@Pallavikumarimdb
Split mTLS client and CA certificates
d52f89f
@Pallavikumarimdb
Copy link
Contributor Author

Pallavikumarimdb commented Aug 4, 2025

Hi, @oschwartz10612 , I have added the changes with commit : "Split mTLS client and CA certificates". Please review and let me know if any changes are needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Pallavikumarimdb @firecat53 @oschwartz10612