Change Request
- Describe what you find is inappropriate or missing in the existing docs.
The certificate-based authentication docs suggest minting 1,000-year TLS certificates for authentication. 1,000 years is a very long validity period. Have you considered 90 days or less?
- Describe your suggestion or addition.
Short-lived certificates are much safer, especially for client authentication (where client certs and keys are more likely to moved around and more easily exfiltrated). If nothing else, it'd be great for the docs to point to resources on best practices for certificate management in production. For configuring automated renewal, it'd also be helpful to know when certificate files are read by TiDB. Does TiDB need to be restarted? Sent a HUP signal? Or, are certificates files read on every new connection?
A more gourmet option is for TiDB to build in support for being an ACME client (the protocol used by Let's Encrypt).
- Provide some reference materials (documents, websites, etc) if you could.
My company (Smallstep Labs) has created an open-source X.509 CA that makes minting and renewing certificates easy. Here's a tutorial for automating x.509 certificate lifecycle management.
Change Request
The certificate-based authentication docs suggest minting 1,000-year TLS certificates for authentication. 1,000 years is a very long validity period. Have you considered 90 days or less?
Short-lived certificates are much safer, especially for client authentication (where client certs and keys are more likely to moved around and more easily exfiltrated). If nothing else, it'd be great for the docs to point to resources on best practices for certificate management in production. For configuring automated renewal, it'd also be helpful to know when certificate files are read by TiDB. Does TiDB need to be restarted? Sent a HUP signal? Or, are certificates files read on every new connection?
A more gourmet option is for TiDB to build in support for being an ACME client (the protocol used by Let's Encrypt).
My company (Smallstep Labs) has created an open-source X.509 CA that makes minting and renewing certificates easy. Here's a tutorial for automating x.509 certificate lifecycle management.