|
This version seems to suggest that we recommend setting both clientAuth and serverAuth. This would only be the case if someone wanted one certificate that can be used for both client and server authentication. We should be able to mention that this is possible, without suggesting that it is recommended or should always be done (since the general recommendation is to use only clientAuth for certificates that will be presented when connecting a server, and only serverAuth for certificates that will be presented to connecting clients). ie. it doesn't mention that this is for the --sslPEMKeyFile but no --sslClusterFile case.
Can I suggest the following (or similar):
It is possible to use a x509 certificate for member authentication that doesn't have Extended Key Usage (EKU) attributes set. However, if EKU attributes are used in the --sslPEMKeyFile certificate, then either (or both) the clientAuth and serverAuth (i.e. “TLS Web Client Authentication” and “TLS Web Server Authentication”) attributes should be specified, depending on how the certificate will be used. The certificate specified to --sslPEMKeyFile requires the serverAuth attribute, while the certificate specified to --sslClusterFile requires the clientAuth attribute. As described below, if --sslClusterFile is omitted, it defaults to the file given to --sslPEMKeyFile.
|