which certs for that
Which machine requires which certificates and why:
+------------+----------------+-------------------+----------------------------------------------+
| Machine | Needs Root CA? | Needs Intermediate| Needs Leaf Cert? | Purpose |
+------------+----------------+-------------------+------------------+-------------------------+
| causer2 | β
Yes | β
Yes | π« No | Validate server identity|
| virtca6 | β
Yes | β
Yes | β
Yes | Terminate & re-encrypt |
| sh1re | π« No | π« No | β
Yes | Present valid server cert|
+------------+----------------+-------------------+------------------+-------------------------+
β Explanation:
-
causer2 (Client):
Needs to validate the leaf cert (from sh1re) up the chain. That means it must have the Intermediate and Root CAs. It doesn't need its own cert β it's a client. -
virtca6 (Proxy with socat):
Terminates TLS from causer2 and connects securely to sh1re. It must present a cert (Leaf), and validate sh1re's cert, so it needs the Intermediate and Root CAs too. -
sh1re (Backend server):
Presents a valid Leaf cert (e.g., wildcard cert). Does not validate clients, so it doesn't need to store CA certs for this scenario.
