build tls crypt v2 key

This page describes how to build a TLS-Crypt-v2 key

Build a SERVER GROUP TLS-Crypt-V2 key (Recommended)

A SERVER GROUP key is a unique type of key because it is not associated with any X509 certificate. It is free to be used by any/all of your servers. (It has similar usage to a Certificate Authority Key ca.key)

• Command line:
  
  • ./easytls build-tls-crypt-v2-group-server <group-server-name>
    
• Notes:
  • To --inline this key, you must first have an X509 Server certificate to associate it with.

Build a SERVER TLS-Crypt-V2 key (Has limitations)

This type of key is identical to a SERVER GROUP key, with the exception that Easy-TLS associates this key with a specific X509 Server certificate. (Due to my lack of time, it was found to be simpler to create SERVER GROUP keys, instead of rewriting code to allow moving these keys around. I recommend that you use a SERVER GROUP key)

• Command line:
  
  • ./easytls build-tls-crypt-v2-server <server-name>
    
• Options:
  • --inline - Create a corresponding inline file.

Build a CLIENT TLS-Crypt-V2 key

• Command line:
  
  • ./easytls build-tls-crypt-v2-server <server-name> <client-name>
• Options:
  • --inline Create a corresponding .inline file.
  • --sub-key=<NAME> Create a TLS-Crypt-V2-Client-Sub-key file.
  • --custom-group=<GROUP-NAME> Use a Custom-Group
• filter-addresses
  • Appended to the end of the command.
  • Hardware-addresses: AA:BB:CC:11:22:33
  • Internet-addresses V4: 1.2.3.0/24, 1.2.3.4/32 (Address/mask must be valid for Easy-TLS)
  • Internet-addresses V6: 2001:a:b:c::/64, 2001:a:b:c::c0ff:ee/128 (Address/mask must be valid for Easy-TLS)

Bonus

• In No-CA mode the peer-fingerprints have been automatically shared.