As part of MB-47905 ns_server now can provide access to an internal client certificate that can be used for the case when client cert auth is enabled and internal TLS connection needs to be established (connection inside CB cluster, but this cert actually can be used when connecting to external CB clusters as well - but that needs to be discussed separately).
This usually happens when:
1) Node-to-node encryption is set 'full' or 'strict'
2) Client cert auth is set to 'mandatory'
As part of this ticket please:
1) Let ns_server team know (by a comment in this ticket) if your service establishes such connections (in other words if you would like to use this internal client certificate), and if so how you would like ns_server to pass your service the path to the client certificate.
2) Add support for internal client certificates in your service. Note: if you are establishing a tls connection to memcached, regular authentication (auth cmd) will need to be done anyway.
Note: We will support encrypted internal private keys. The key passphrase will be passed to services via cbauth (similar to node key passphrase) but that is not implemented yet. More details will follow.
Client key passphrase can be encrypted.
Passphrase is passed via cbauth (similar to node key passphrase) in the ClientPrivateKeyPassphrase field of the TLSConfig struct.
When client cert or passphrase changes, TLSRefreshCallback is called with the CFG_CHANGE_CLIENT_CERTS_TLSCONFIG flag set.