CLM TLS configuration requirements

TLS deployment options

During CLM system deployment, you can choose to use one or more TLS certificates that the CLM generates and signs, or can provide one or more of your own signed certificates, which are called custom certificates.

The CLM cluster software package provides a PKI server that can be used to simplify the TLS certificate distribution to NSP components.

Note: If the CLM clusters use advertised hostnames, the SAN field of a CLM server certificate must include the advertised hostname of each CLM cluster.

Note: The private key and certificate files for a CLM deployment must be in unencrypted PEM format.

Using custom TLS certificates

A custom TLS certificate for the CLM must:

  • be CA-signed

  • be a 2048-bit RSA key

  • include serverAuth in the ExtendedKeyUsages field

Note: A custom CLM server certificate must be unique to a CLM cluster.

See To generate custom TLS certificate files for the CLM for configuration information.

Using intermediate signing certificates

The CLM PKI service can act as an intermediate CA. The supported intermediate key type is a 4096-bit RSA key.

The required and recommended key extensions are the following:

  • Required:

    • CA:TRUE

    • certificate sign key usage

    • chained .pem file in which the CLM Intermediate cert is first in the chain, followed by the intermediate certificates, and ending with the root certificate

  • Recommended:

    • path length = 0, which signifies that the PKI server can sign only end-entity certificates

For example:

Note: Required restrictions are in boldface type:

X509v3 Basic Constraints: critical

CA:TRUE, pathlen:0

X509v3 Key Usage: critical

Digital Signature, Certificate Sign, CRL Sign

TLS version and cipher support

By default, only TLS 1.2 is enabled. However, external systems such as OSS clients may use deprecated TLS versions. For CLM compatibility with such systems, you can enable older TLS versions.

The following parameter in the CLM configuration file enables or disables the support for the deprecated TLS versions:

  • tlsv1ProtocolsEnabled