CLM TLS configuration requirements

TLS deployment options

During CLM system deployment, you can choose to use one or more TLS certificates that the CLM generates and signs, or can provide one or more of your own signed certificates, which are called custom certificates.

The CLM cluster software package provides a PKI server that can be used to simplify the TLS certificate distribution to NSP components.

Note: If the CLM clusters use advertised hostnames, the SAN field of a CLM server certificate must include the advertised hostname of each CLM cluster.

Note: The private key and certificate files for a CLM deployment must be in unencrypted PEM format.

Using custom TLS certificates

A custom TLS certificate for the CLM must:

Note: A custom CLM server certificate must be unique to a CLM cluster.

See To generate custom TLS certificate files for the CLM for configuration information.

Using intermediate signing certificates

The CLM PKI service can act as an intermediate CA. The supported intermediate key type is a 4096-bit RSA key.

The required and recommended key extensions are the following:

For example:

Note: Required restrictions are in boldface type:

X509v3 Basic Constraints: critical

CA:TRUE, pathlen:0

X509v3 Key Usage: critical

Digital Signature, Certificate Sign, CRL Sign

TLS version and cipher support

By default, only TLS 1.2 is enabled. However, external systems such as OSS clients may use deprecated TLS versions. For CLM compatibility with such systems, you can enable older TLS versions.

The following parameter in the CLM configuration file enables or disables the support for the deprecated TLS versions: