Add a tip about needing server and client usage in intra-cluster TLS certificates (neo4j#1691)

NataliaIvakina · web-flow · commit 2b8e101198a2 · 2024-06-20T12:10:01.000+02:00
Copied from the PR neo4j#1688
diff --git a/modules/ROOT/pages/clustering/intra-cluster-encryption.adoc b/modules/ROOT/pages/clustering/intra-cluster-encryption.adoc
@@ -24,6 +24,24 @@ Under SSL, an endpoint can authenticate itself using certificates managed by a x
 It should be noted that the deployment of a secure key management infrastructure is beyond the scope of this manual, and should be entrusted to experienced security professionals.
 The example deployment illustrated below is for reference purposes only.
 
+[TIP]
+====
+If setting up intra-cluster encryption as part of a cluster configuration, ensure that the certificates used on the cluster endpoint support server and client usage.
+This is because when connecting between the Neo4j servers for clustering, each server uses its own certificate to authenticate as a client on the connection to another server.
+
+This could be verified from within the certificate details:
+
+----
+openssl x509 -in public.crt -noout -text
+----
+
+We should see that the X509v3 Extended Key Usage section shows both the usages listed:
+
+----
+X509v3 Extended Key Usage:
+    TLS Web Server Authentication, TLS Web Client Authentication
+----
+====
 
 [[causal-clustering-intra-cluster-encryption-example-deployment]]
 == Example deployment
diff --git a/modules/ROOT/pages/security/ssl-framework.adoc b/modules/ROOT/pages/security/ssl-framework.adoc
@@ -85,6 +85,25 @@ Valid trusted certificates can be generated for free using non-profit CAs such a
 
 The instructions on this page assume that you have already obtained the required certificates from the CA.
 
+[TIP]
+====
+If setting up intra-cluster encryption as part of a cluster configuration, ensure that the certificates used on the cluster endpoint support server and client usage.
+This is because when connecting between the Neo4j servers for clustering, each server uses its own certificate to authenticate as a client on the connection to another server.
+
+This could be verified from within the certificate details:
+
+----
+openssl x509 -in public.crt -noout -text
+----
+
+We should see that the X509v3 Extended Key Usage section shows both the usages listed:
+
+----
+X509v3 Extended Key Usage:
+    TLS Web Server Authentication, TLS Web Client Authentication
+----
+====
+
 === Validate the key and the certificate
 
 If you need, you can validate the key file and the certificate as follows:
