Hey, On 25 February 2017 at 12:37, jupiter via Boost-users < boost-users@lists.boost.org> wrote:
I think I can use openssl to generate those self signed files, correct? I saw some programs use 4 use_certificate_chain_file, use_certificate_file, use_private_key_file and use_tmp_dh_file in both server and client sites, but I also saw some test program only use one ca.pem in client site and 3 use_certificate_chain_file, use_private_key_file and use_tmp_dh_file in server site, which is correct or better? Any guideline?
Yes, you can use openssl to generate self signed certificates. If you need to, you can also easily get widely trusted certificates for free from letsencrypt. As for using server certificates and/or client certificates: it really depends on the application. With TLS, both endpoints of the connection *can* identify themselves with a certificate. In general it makes sense to use a certificate to have the client verify the identity of the server. If the server should only accept connections from trusted users/devices, you could use client certificates too. On the other hand, if the server accepts anonymous connections, there is nothing to be gained from verifying the client certificates so you're better off not asking for them in the first place. -- Maarten