In my case, I had set TLSVerifyClient to demand. I couldn't be able to establish a connection While providing TLSCACertificateFile alone.
While setting the TLSVerifyClient option demand is it mandatory to provide the following option or TLSCACertificateFile is enough?
TLSCACertificateFile
TLSCertificateKeyFile
TLSCertificateFile
Regards,
Ram
By setting TLSVerifyClient to anything different than never you allow mutual TLS.
As implied already in the name: mutual SSL/TLS requires that both client and server authenticate themselves with certificates.
The mechanism of TLS client authentication (only) sends the client certificate over TLS, as part of the authentication handshake.
On the server that requires and means you can't do without:
TLSCertificateFileTLSCertificateKeyFile for the server certificateTLSCACertificateFile <filename> OR TLSCACertificatePath <path>As a nice curiosity: the certificate authority that is trusted to issue client certificates does not have to be same one that issues the server certificate. Typically it is not. Your server certificate for example is issued by Let’sEncrypt and you would use an internal CA for client certificates.
On the client you first need to trust the CA certificate (chain) used to issue the server certificate. Often that doesn’t need to be configured explicitly as the system defaults for the client often already have the correct trusts built in. That is governed by the client settings: TLS_CACERT and/or TLS_CACERTDIR.
Then for the client to identify itself with mutual TLS it needs its own certificate and associated private key. Set with TLS_CERT respectively TLS_KEY directives.
