From f6168a91e8454da1a54321c7d55d07bd692d88a6 Mon Sep 17 00:00:00 2001 From: Markus Opolka Date: Fri, 14 Feb 2025 13:04:11 +0100 Subject: [PATCH 1/2] Mention EKU requirements in securing-communications-with-tls.md --- .../mimir/manage/secure/securing-communications-with-tls.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/sources/mimir/manage/secure/securing-communications-with-tls.md b/docs/sources/mimir/manage/secure/securing-communications-with-tls.md index 53fa08e35d7..7f0fc0e8186 100644 --- a/docs/sources/mimir/manage/secure/securing-communications-with-tls.md +++ b/docs/sources/mimir/manage/secure/securing-communications-with-tls.md @@ -26,6 +26,8 @@ You can change the duration by adjusting the `-days` option in the command. You should replace certificates more regularly. {{< /admonition >}} +The certificates need to have both server authentication and client authentication set in the extended key usage field. + The following script generates self-signed certificates for the cluster. The script generates private keys `client.key`, `server.key` and certificates `client.crt`, `server.crt` for both the client and server. The script generates the CA cert as `root.crt`. From 23a3c17130dcd6d9f4bbe74215deaf582d1479b7 Mon Sep 17 00:00:00 2001 From: Markus Opolka Date: Fri, 14 Feb 2025 19:12:43 +0100 Subject: [PATCH 2/2] Update docs/sources/mimir/manage/secure/securing-communications-with-tls.md Co-authored-by: Taylor C <41653732+tacole02@users.noreply.github.com> --- .../mimir/manage/secure/securing-communications-with-tls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/sources/mimir/manage/secure/securing-communications-with-tls.md b/docs/sources/mimir/manage/secure/securing-communications-with-tls.md index 7f0fc0e8186..acfee8d53bd 100644 --- a/docs/sources/mimir/manage/secure/securing-communications-with-tls.md +++ b/docs/sources/mimir/manage/secure/securing-communications-with-tls.md @@ -26,7 +26,7 @@ You can change the duration by adjusting the `-days` option in the command. You should replace certificates more regularly. {{< /admonition >}} -The certificates need to have both server authentication and client authentication set in the extended key usage field. +You need to set both server authentication and client authentication for certificates in the extended key usage field. The following script generates self-signed certificates for the cluster. The script generates private keys `client.key`, `server.key` and certificates `client.crt`, `server.crt` for both the client and server.