How is TLS configured for the Control Agent when not in HA?
In section 23.1.2 TLS/HTTPS Configuration of the Kea ARM version 2.2.0, it is stated that the trust-anchor
option specifies a path to the certificate authority certificate of the [HA] peer, and that this setting must be specified along with cert-file
and key-file
to enable TLS.
Confusingly, the "Security considerations" of the Kea documentation of 2.1.7-git states that you will
...not implement the secure layer [TLS] within Kea...
and that
...a reverse HTTP proxy can be setup[sic] using one of the third party HTTP server implementations...
These things seem to conflict. Back to the original point, though, is my confusion about how to enable TLS for the control agent when not in HA (and also when in HA with one or more backup servers, when there would be more than one peer). Why is it necessary to configure the peer's certificate authority certificate in the control agent configuration when the system has its own certificate authority certificate store?