Skip to content

Restricted Clients Setup

Eric Voskuil edited this page Mar 16, 2017 · 8 revisions

Access to a server's secure endpoints can be limited to specific clients. First configure the secure server and ensure clients can access it. Access to a secure endpoint requires client configuration of the server's public key.

When a server configures one or more client public keys, access to its secure endpoints is automatically restricted to those clients. Each client must then configure its own private key in order to access the secure endpoints.

The bx cert-new and cert-public commands can be used to generate certificates. The certificates (keys) are presented as Z85 encoded text strings. The public key can be derived from its private key.

Generate the private key as follows:

$ bx cert-new
pNeb[Rdz=b4-ix/&02Q*W}d>f1}(0>eH7+wCkP2^

Keep the private key secret and replace if it is ever compromised. The private key can be placed into the bx configuration in the server.client_private_key setting.

Generate the corresponding public key for server configuration. The public key is generated as follows:

$ bx cert-public "pNeb[Rdz=b4-ix/&02Q*W}d>f1}(0>eH7+wCkP2^"
P0[f<Wq5@OQhK>6r=S-2LMj]9i%DnSMqieoKg30i

To grant access to the secure server, add the client's public key to the bs configuration as follows:

[server]
client_public_key = P0[f<Wq5@OQhK>6r=S-2LMj]9i%DnSMqieoKg30i

See also filtered clients setup.

Clone this wiki locally