The corrosion tls command

In non-development environment, you'll want to configure [gossip.tls] to secure the transport of information within the cluster.

$ corrosion tls --help
Tls-related commands

Usage: corrosion tls [OPTIONS] <COMMAND>

Commands:
  ca      TLS certificate authority commands
  server  TLS server certificate commands
  client  TLS client certificate commands (for mutual TLS)
  help    Print this message or the help of the given subcommand(s)

corrosion tls ca generate

A CA (Certificate Authority) is necessary to sign server certificates. It's expected for a Corrosion cluster to have a single CA key pair for signing all the nodes' server certificates.

Store the key somewhere secure!

$ corrosion tls ca generate --help
Generate a TLS certificate authority

Usage: corrosion tls ca generate [OPTIONS]

By default, certificates will be output as ca_cert.pem and ca_key.pem in the current directory.

corrosion tls server generate

Generates a server certificate key pair for encrypting peer-to-peer packets. To be used in the gossip.tls configuration block.

The command accepts a <IP> positional argument, it needs to be the IP address your cluster's nodes will use for connecting to the server you're generating the certificates for.

You'll need to have previously generated a CA key pair as it's required to pass --ca-key and --ca-cert flags w/ paths to each PEM file respectively.

$ corrosion tls server generate --help
Generate a TLS server certificate from a CA

Usage: corrosion tls server generate [OPTIONS] --ca-key <CA_KEY> --ca-cert <CA_CERT> <IP>

Arguments:
  <IP>

corrosion tls client generate

Generates a client certificate key pair to authorizing peer-to-peer clients.

You'll need to have previously generated a CA key pair as it's required to pass --ca-key and --ca-cert flags w/ paths to each PEM file respectively.

$ corrosion tls client generate
Generate a TLS certificate from a CA

Usage: corrosion tls client generate [OPTIONS] --ca-key <CA_KEY> --ca-cert <CA_CERT>