Skip to content

Multiple TLS Crypt V2 Keys per X509 Certificate

Jump to bottom Edit New page
TinCanTech edited this page Dec 13, 2021 · 4 revisions

Details

A single X509 client certificate can have unlimited TLS-Crypt-V2 client keys to chose from
to connect to a specific server.

Option --sub-key-name=Name allows Easy-TLS to manage these unlimited keys.

You do not need a TLS-Crypt-V2 --sub-key-name to use all EasyTLS features.
Only use --sub-key-name to manage Extra TLS-Crypt-V2 Client keys.

Every server and client can be given a unique TLS-Crypt-V2 key without using --sub-key-name.
The only reason to use --sub-key-name is if you have trouble with DPI firewalls blocking you.

Usage

The following commands support Sub-Keys:

  • Interactive build - Example: build

  • Interactive inline - Example: inline

  • build-tls-crypt-v2-client
    Example: --sub-key-name=home build-tls-crypt-v2-client alice

    The new key file will be: easytls/alice-home-tls-crypt-v2.key

  • inline-tls-crypt-v2
    Example: --sub-key-name=home inline-tls-crypt-v2 alice

    The new Inline file will be: easytls/alice-home.inline and update the inline index.

  • inline-remove
    Example: --sub-key-name=home inline-remove alice

    This will remove the Inline file: easytls/alice-home.inline and update the inline index.
    (You can manually delete the TLS-Crypt-V2 Key file now)

  • inline-renew - TODO
    Example: --sub-key-name=home inline-renew alice

    This will renew the Inline file: easytls/alice-home.inline and update the inline index.

  • disable
    Example: --sub-key-name=home disable alice

    This will disable the client: X509 Certificate alice with TLS-Crypt-V2 key home.

  • enable
    Example: --sub-key-name=bob enable alice

    This will enable the client: X509 Certificate alice with TLS-Crypt-V2 key home.

PKI Hierarchy integrated with multiple Sub TLS-Crypt-V2 keys.

Root X509 Certificate Authority (CA) Certificate.

Server Certificate: server01.crt

  • TLS-Crypt-V2 server01 key: server01-tls-crypt-v2.key
    Command: ./easytls build-tls-crypt-v2-server server01
  • Inline file: server01.inline
    Command: ./easytls inline-tls-crypt-v2 server01

Client Certificate: alice.crt

TLS-Crypt-V2 Default Client key for alice X509 Certificate.

  • TLS-Crypt-V2 alice key: alice-tls-crypt-v2.key
    Command: ./easytls build-tls-crypt-v2-client server01 alice
  • Inline file: alice.inline
    Command: ./easytls inline-tls-crypt-v2 alice

TLS-Crypt-V2 Client Sub-keys for alice X509 Certificate.

  • TLS-Crypt-V2 alice key --sub-key-name=WORK: alice-WORK-tls-crypt-v2.key
    Command: ./easytls --sub-key-name=WORK build-tls-crypt-v2-client server01 alice

  • Inline file: alice-WORK.inline
    Command: ./easytls --sub-key-name=WORK inline-tls-crypt-v2 alice

  • TLS-Crypt-V2 alice key --sub-key-name=LAPTOP: alice-LAPTOP-tls-crypt-v2.key
    Command: ./easytls --sub-key-name=LAPTOP build-tls-crypt-v2-client server01 alice

  • Inline file: alice-LAPTOP.inline
    Command: ./easytls --sub-key-name=LAPTOP inline-tls-crypt-v2 alice

Client Certificate: bob.crt

TLS-Crypt-V2 Default Client key for bob X509 Certificate.

  • TLS-Crypt-V2 bob key: bob-tls-crypt-v2.key
    Command: ./easytls build-tls-crypt-v2-client server01 bob
  • Inline file: bob.inline
    Command: ./easytls inline-tls-crypt-v2 bob

TLS-Crypt-V2 Client Sub-keys for bob X509 Certificate.

  • TLS-Crypt-V2 bob key --sub-key-name=HOME: bob-HOME-tls-crypt-v2.key
    Command: ./easytls --sub-key-name=HOME build-tls-crypt-v2-client server01 bob

  • Inline file: bob-HOME.inline
    Command: ./easytls --sub-key-name=HOME inline-tls-crypt-v2 bob

  • TLS-Crypt-V2 bob key --sub-key-name=LAPTOP: bob-LAPTOP-tls-crypt-v2.key
    Command: ./easytls --sub-key-name=LAPTOP build-tls-crypt-v2-client server01 bob

  • Inline file: bob-LAPTOP.inline
    Command: ./easytls --sub-key-name=LAPTOP inline-tls-crypt-v2 bob

wiscii art:

* X509
|
 \
  |- Certificate Authority (CA) Certificate.
  |
  |\
  | \
  |  |-- Server Certificate: `server01.crt`
  |   \
  |    \
  |     |---- TLS-Crypt-V2 server01 key: `server01-tls-crypt-v2.key`
  |     |     Command: `./easytls build-tls-crypt-v2-server server01`
  |     |---- Inline file: `server01.inline`
  |     |     Command: `./easytls inline-tls-crypt-v2 server01`
  |\
  | \
  |  |-- Client Certificate: `alice.crt`
  |  |\
  |  | \
  |  |  |---- TLS-Crypt-V2 alice key: `alice-tls-crypt-v2.key`
  |  |  |     Command: `./easytls build-tls-crypt-v2-client server01 alice`
  |  |  |---- Inline file: `alice.inline`
  |  |  |     Command: `./easytls inline-tls-crypt-v2 alice`
  |  |
  |  |\
  |  | \
  |  |  |---- TLS-Crypt-V2 alice key `--sub-key-name=WORK`: `alice-WORK-tls-crypt-v2.key`
  |  |  |     Command: `./easytls --sub-key-name=WORK build-tls-crypt-v2-client server01 alice`
  |  |  |---- Inline file: `alice-WORK.inline`
  |  |  |     Command: `./easytls --sub-key-name=WORK inline-tls-crypt-v2 alice`
  |  |
  |  |\
  |  | \
  |  |  |---- TLS-Crypt-V2 alice key `--sub-key-name=LAPTOP`: `alice-LAPTOP-tls-crypt-v2.key`
  |  |  |     Command: `./easytls --sub-key-name=LAPTOP build-tls-crypt-v2-client server01 alice`
  |  |  |---- Inline file: `alice-LAPTOP.inline`
  |  |  |     Command: `./easytls --sub-key-name=LAPTOP inline-tls-crypt-v2 alice`
  |  |
  |  |\
  |  | \
  |  |  |---- TLS-Crypt-V2 alice key `--sub-key-name=PHONE`: `alice-PHONE-tls-crypt-v2.key`
  |  |  |     Command: `./easytls --sub-key-name=PHONE build-tls-crypt-v2-client server01 alice`
  |  |  |---- Inline file: `alice-PHONE.inline`
  |  |  |     Command: `./easytls --sub-key-name=PHONE inline-tls-crypt-v2 alice`
  |
  |\
  | \
  |  |-- Client Certificate: `bob.crt`
  |  |\
  |  | \
  |  |  |---- TLS-Crypt-V2 bob key: `bob-tls-crypt-v2.key`
  |  |  |     Command: `./easytls build-tls-crypt-v2-client server01 bob`
  |  |  |---- Inline file: `bob.inline`
  |  |  |     Command: `./easytls inline-tls-crypt-v2 bob`
  |  |
  |  |\
  |  | \
  |  |  |---- TLS-Crypt-V2 bob key `--sub-key-name=HOME`: `bob-HOME-tls-crypt-v2.key`
  |  |  |     Command: `./easytls --sub-key-name=HOME build-tls-crypt-v2-client server01 bob`
  |  |  |---- Inline file: `bob-HOME.inline`
  |  |  |     Command: `./easytls --sub-key-name=HOME inline-tls-crypt-v2 bob`
  |  |
  |  |\
  |  | \
  |  |  |---- TLS-Crypt-V2 bob key `--sub-key-name=LAPTOP`: `bob-LAPTOP-tls-crypt-v2.key`
  |  |  |     Command: `./easytls --sub-key-name=LAPTOP build-tls-crypt-v2-client server01 bob`
  |  |  |---- Inline file: `bob-LAPTOP.inline`
  |  |  |     Command: `./easytls --sub-key-name=LAPTOP inline-tls-crypt-v2 bob`
  |  |
  |  |\
  |  | \
  |  |  |---- TLS-Crypt-V2 bob key `--sub-key-name=PHONE`: `bob-PHONE-tls-crypt-v2.key`
  |  |  |     Command: `./easytls --sub-key-name=PHONE build-tls-crypt-v2-client server01 bob`
  |  |  |---- Inline file: `bob-PHONE.inline`
  |  |  |     Command: `./easytls --sub-key-name=PHONE inline-tls-crypt-v2 bob`
  |
  |
  .
  .

Needs updating

Add a custom sidebar
Clone this wiki locally