Hi Team,
I would like to establish an SSL/TLS-connection with third party CA certificates between the UFs -> HFs -> indexers.
The order which i'm following to configure the TLS connection is below.
-----BEGIN CERTIFICATE-----
... (certificate for your server)...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
...<Server Private Key – Passphrase protected>
-----END RSA PRIVATE KEY-----
------BEGIN CERTIFICATE-----
... (the certificate authority certificate)...
-----END CERTIFICATE-----
Now, the question here is, can we remove RSA private key from the certficate. Do we need private key in order to establish the secure connection to the HF from UF?
OK. Are you aware how TLS in particular and PKi and asymmetric cryptography in general works?
If you want to just authenticate the other party (for example - want to make sure at your forwarder that the indexer you're connecting to is the one it claims to be), all you need on your forwarder is the certificate (just the certificate) of the CA used to issue the indexer's certificate.
But if you need to authenticate yourself as the forwarder to the indexer, you need both the certificate you got issued by the CA as well as your own private key. That's why it's called private key - it's something unique to you and you don't disclose it to any other parties. It's used to encrypt stuff during the communication so that other parties can decrypt it with your public key (included in the certificate).
For your own security, please, please, please get someone with TLS/PKI working experience involved and please read a bit about how it all works otherwise you can hurt yourself.
Hi @VK18,
you have to establich a secure connection before between UFs and HFs probably using one password, then another secure connection between HFs and Indexers probably using another password,
but you can also use the same for both also because the password isn't readable because it's encrypted at the first restart.
Ciao.
Giuseppe