# Full TLS Setup Transport Layer Security, or TLS can be used to provide a secure communications channel between Ubqt servers and clients, and is also optional for use in many Ubqt services that connect to internet resources. ## Certificates, Keys Ubqt uses certificate and key pairs to establish TLS connections. In order to connect securely, we need to create a certificate and key on both the server, and the client. Related reading: - https://en.wikipedia.org/wiki/Public_key_certificate - https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange ## Server In many applications, self-signed certificates are unwanted, due to the client/server trust being broken. However, for most common ubqt installations, the same authority manages both sides. (You!) To use Certificate Authorities, such as Let's Encrypt is also possible, and will be covered in future versions of this guide. For systems with openssl, generating a self-signed key/pair can be done as follows: `openssl req -newkey rsa:4096 -nodes -sha512 -x509 -days 3650 -nodes -out -etc/ssl/certs/ubqt.pem -keyout /etc/ssl/private/ubqt.pem` This will create the two named files, and the server will look for each under that specific name, if none is provided on the command line. To sign client certificates, we need a Certificate Signing Request file, for example: `openssl req -new -eky /etc/ssl/private/ubqt.pem -out /etc/ssl/certs/ubqt.csr` ### Plan9 Refer to http://man.cat-v.org/9front/8/rsa A full guide coming soon! Servers will prefer the factotum whenever possible for key values, ## Client Here, we create and sign client certificates against our server's root certificate, created above: ``` # Create the client key openssl genrsa -out myclient.key 4096 # Create a client sign request openssl req -new -key myclient.key -out myclient.csr # Sign the request to create a valid cert # We'll make it last 1024 days openssl x509 -req -in myclient.csr -CA /etc/ssl/certs/ubqt.pem -CAkey /etc/ssl/private/ubqt.pem -CAcreateserial -out myclient.pem -days 1024 -sha512 ``` ### Plan9