-
-
Notifications
You must be signed in to change notification settings - Fork 21
tls crypt v2 key intro
This page is intended as an introduction to how Easy-TLS uses TLS-Crypt-V2 Keys.
You may like to know; How do TLS-Crypt-V2 keys differ from other TLS keys in OpenVPN ?
-
TLS-Auth and TLS-Crypt keys are pre-shared keys. The same key must be used by the Server and all the Clients.
-
TLS-Crypt-V2 allows each Client to use its own unique key, or any other combination of unique vs. pre-shared keys.
Easy-TLS default mode policy is to create a unique TLS-Crypt-V2 key per X509 Server or X509 Client.
-
In this mode, it is also possible to create
subkeys, which allow each Client to have more than one TLS-Crypt-V2 key per X509 certificate. -
Also, allowed are GROUP keys. These are exactly the same as a standard TLS-Crypt-V2 Client key, except they are intended to be used by the same class of clients. (You can arbitrarily chose the class of choice. eg.
family) -
Server TLS-Crypt-V2 keys are free to span any hierarchy, from single Server to entire Data-centre.
-
Client TLS-Crypt-V2 keys are then subject to the access rules which Easy-TLS can leverage.
See: Easy-TLS Normal mode
Easy-TLS No-CA mode policy is to create a unique TLS-Crypt-V2 key per X509 Server or X509 Client.
With these certificates, in place of a regular PKI, you can now create your TLS-Crypt-V2 key suite.
(Standard TLS-Auth and TLS-Crypt also work in No-CA mode)
See: Easy-TLS No-CA mode
Easy-TLS allows many levels of access filtering.
TLS-Cryp-V2 Key he=ierarchy may surprise you.
See: TLS-Crypt-V2 Key hierarchy