This document explains how to handle TLS certificates for the feed key service.
The service uses rustls internally to handle the TLS connections.
For a local setup it is possible to setup a self-signed certificate chain which
requires the openssl command to be installed.
A self-signed TLS server private key and server certificate for testing purposes can be generated with the following command easily
openssl req -newkey rsa:4096 -noenc -keyout server.key -x509 -days 365 -out server.cert.pem -subj "/CN=ACME" -batchCreate CA private key and certificate (if not already created).
./ca-certificates.shCreate server private key and certificate that is signed by the CA
./server-certificates.shCreate CA private key and certificate (if not already created).
./ca-certificates.shCreate client private key and certificate that is signed by the CA
./client-certificates.shVia CLI
greenbone-feed-key --tls-server-key ./certs/server.key --tls-server-cert ./certs/server.cert.pemVia Environment Variables
export GREENBONE_FEED_KEY_TLS_SERVER_KEY=./certs/server.key
export GREENBONE_FEED_KEY_TLS_SERVER_CERT=./certs/server.cert.pem
greenbone-feed-keySetting up mTLS requires providing a root certificate that has signed the actual client certificates.
Via CLI
greenbone-feed-key --tls-server-key ./certs/server.key --tls-server-cert ./certs/server.cert.pem --tls-client-certs ./certs/ca.cert.pemVia Environment Variables
export GREENBONE_FEED_KEY_TLS_SERVER_KEY=./certs/server.key
export GREENBONE_FEED_KEY_TLS_SERVER_CERT=./certs/server.cert.pem
export GREENBONE_FEED_KEY_TLS_CLIENT_CERTS=./certs/ca.cert.pem
greenbone-feed-keyopenssl rsa -noout -text -in ./server.keyopenssl x509 -noout -text -in ./server.cert.pemopenssl req -noout -text -in ./server.csropenssl rsa -noout -text -in ./client.keyopenssl x509 -noout -text -in ./client.cert.pemopenssl req -noout -text -in ./client.csr