TLS (Transport Layer Security)

Table of Contents

• Server Certificate
  • Default Server Certificate
• Custom Certificate Location
• Using the Server Certificate as a Client Certificate

See also

RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3,

Xentara uses secure communications protocols where possible. Usually, this involes the use of encryted Transport Layer Security (TLS) connections from and to other systems. TLS is the standard security protocol used by most secure communication protocols, like SSH and HTTPs.

The TLS configuration is loaded from the Xentara security configuration file.

Server Certificate

When accepting TLS connections from remote clients, Xentara needs to present a valid certificate to the client. This certificate is called the Xentara server certificate.

Default Server Certificate

Unless a custom path has been specified, Xentara locates the the server certificate by looking for a file named xentara.pem in the normal Xentara configuration directories described in Configuration File Location. The file must be located in a subdirectory named certs. By default, the following locations are tried, in order:

Linux:

• ${HOME}/.config/xentara/certs/xentara.pem
• /etc/xdg/xentara/certs/xentara.pem

Windows:

• %LOCALAPPDATA%\Xentara\Config\certs\xentara.pem
• %ProgramData%\Xentara\Config\certs\xentara.pem

If no server certificate is found, no secure communication requiring a server certificate will be possible.

The private key belonging to the server certificate must be called xentara.key.pem, and reside in a subdirectory named private. By default, the following locations are tried, in order:

Linux:

• ${HOME}/.config/xentara/private/xentara.key.pem
• /etc/xdg/xentara/private/xentara.key.pem

Windows:

• %LOCALAPPDATA%\Xentara\Config\private\xentara.key.pem
• %ProgramData%\Xentara\Config\private\xentara.key.pem

The private key file must be located under the same base directory as the certificate file. If the certificate is located under ${HOME}/.config, then the private key must also be located under ${HOME}/.config, for example. You cannot place the certificate file in ${HOME}/.config and the private key file in /etc/xdg, or vice versa. The same goes for %LOCALAPPDATA% and %ProgramData% under Windows.

Note

The search path can be modified using the command line option --config-dir (Linux) or -ConfigDir (Windows), or the environment variables XDG_CONFIG_HOME and XDG_CONFIG_DIRS (Linux only), as described in Standard Configuration Directories.

Custom Certificate Location

You can specify a different location for the certificate and private key files in the Xentara security configuration file.

Using the Server Certificate as a Client Certificate

Depending on the properties of the certificate, the server certificate may also be suitable for use in TLS client connections that require a client certificate. This is generally the case for self-signed certificates, but certificates issued by a certificate authority (CA) are often restricted to a number of so-called purposes. In order to be used as a server certificate, the certificate must contain the purpose “TLS server”, In order to be used as a client certificate, the certificate must contain the purpose “TLS client”.