- Mais recentes
- Mais votos
- Mais comentários
-
You can only allow TLS client-server mutual authentication and disable the default key in order to do so you will have to use the Client SDK 5 configure tool to update client-side configuration files. https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sdk-5.html
--server-client-cert-file <Client/certificate/file>
Path to the client certificate used for TLS client-server mutual authentication. Only use this option if you don’t wish to use the default key and SSL/TLS certificate we include with Client SDK 5. You must set this option in combination with --server-client-key-file.
Required: No
--server-client-key-file <Client/key/file>
Path to the client key used for TLS client-server mutual authentication Only use this option if you don’t wish to use the default key and SSL/TLS certificate we include with Client SDK 5. You must set this option in combination with --server-client-cert-file.
Required: No -
The difference is that mutual TLS (Transport Layer Security) authentication is an optional component of TLS that offers two-way peer authentication. Mutual TLS authentication adds a layer of security over TLS and allows your services to verify the client that's making the connection.The client in the client-server relationship also provides an X.509 certificate during the session negotiation process. The server uses this certificate to identify and authenticate the client. This process helps to verify if the certificate is issued by a trusted certificate authority (CA) and if the certificate is a valid certificate. It also uses the Subject Alternative Name (SAN) on the certificate to identify the client. https://docs.aws.amazon.com/app-mesh/latest/userguide/mutual-tls.html
Conteúdo relevante
- AWS OFICIALAtualizada há 3 meses
About the original question :
So using my own produced ssl key and cert (instead of the default one) create a better secure (encrypted) communication between the client and the cloudHSM. Though this cannot be used to restrict access to cloudHSM from a specific client machine because the default key and cert can always be used from any other machine (along with the root CA). Is that correct ???