I'm writing a config daemon.
It works like this:
accepts
- GET (read)
- POST (update)
- PUT (create)
- DELETE (delete)
methods
example:
PUT http://server1/key
(body = value)
stores value under key
GET http://server1/key
returns value in response body
Now, when a PUT, POST, DELETE is made it duplicates this request and sends it to peers, so that every node has the same data and any node can be queried in case one of the nodes is unavailable. It adds a header so the nodes know that they shouldn't duplicate a request and send out to other nodes.
Ok, this works so far, but now I'd like to only allow the nodes and a WebUI to be able to transmit requests to those nodes. And here is where TLS comes into play.
As far as I understand I need a rootCA, so I can sign server and client certificates. And I'd like to have valid certificates, not "self-signed" because I would use Go and crypto/tls and it should verify the certificates.
My question is:
Which extensions or fields do each of the certificates need? I wouldn't want to re-generate the server and client certs when a new node is added to the config server pool.
I would connect by IP address, not by hostname/dnsname (to skip hostname lookups and the potential eavesdropping of a third party by assigning an IP to their own dnsname, e.g. s1.myserver.com is mine with IP 1.2.3.4 and random dude creates a DNS entry with random.dude.com 1.2.3.4, because I get a list of all nodes by doing a NS lookup of clustercfg.mydomain.com)
On each new node I'd need to create a server cert (this is me, verify that it's true)
On each new node I'd need to create a client cert (so I can authenticate that this client node is valid and is allowed to access this server node)
The question is:
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Alternative Name:
DNS:server1.myserver.com, IP Address:2a02::0:0:0:0:0:0:2, IP Address:1.2.3.4
What does a rootCA, a server certificate, a client certificate need so I'm able to do "TLS Authentication"?