My deployments have a single CA that's used as trust-anchor on both machines, and then the certificates are signed by the CA. The CA is further added to the systems' trust stores. I haven't tried what you're doing (sorry).
Eric Graham DevOps Specialist Direct: 605.990.1859 eric.gra...@vantagepnt.com<mailto:eric.gra...@vantagepnt.com> [cid:ff23e65c-e61f-497c-bea5-91f13f197392] ________________________________ From: Stefan G. Weichinger <li...@xunil.at> Sent: Thursday, June 29, 2023 9:04 AM To: Eric Graham <eric.gra...@vantagepnt.com>; kea-users@lists.isc.org <kea-users@lists.isc.org> Subject: Re: [Kea-users] kea-2.2.0 - HA cluster - communication between stork and dhcp4 gets lost CAUTION: This email originated outside the organization. Do not click any links or attachments unless you have verified the sender. Am 29.06.23 um 15:34 schrieb Eric Graham: > Stefan, > > I think so, but I'm not sure if it's best practice to share that > certificate with Kea since you'd need to open up permissions a little > and allow Kea to read the private key. If you have no qualms with that > note, then it's probably worth an attempt, at least. Since Kea shouldn't > be running as root, you may need to change group ownership of the certs > or use fACLs. I could copy them over to /var/lib/kea and adjust things. Prepared that already As far as I understand the CAs have to be placed "cross-wise": server1 has to use ca_server2.pem as trust-anchor server2 has to use ca_server1.pem as trust-anchor Right? I haven't started editing things yet, can't risk downtime while people are working there.
-- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users