TLS certificates for NFS-over-TLS floating client

John-Mark Gurney jmg at
Thu Mar 19 19:16:15 UTC 2020

Rick Macklem wrote this message on Wed, Mar 04, 2020 at 03:15 +0000:
> I am slowly trying to understand TLS certificates and am trying to figure
> out how to do the following:
> -> For an /etc/exports file with...
> /home -tls -network -mask
> /home -tlscert

Are you looking at implementing draft-cel-nfsv4-rpc-tls?

> This syntax isn't implemented yet, but the thinking is that clients on the
> 192.168.1 subnet would use TLS, but would not require a certificate.
> For access from anywhere else, the client(s) would be required to have a
> certificate.
> A typical client mounting from outside of the subnet might be my laptop,
> which is using wifi and has no fixed IP/DNS name.
> --> How do you create a certificate that the laptop can use, which the NFS
>        server can trust enough to allow the mount?
> My thinking is that a "secret" value can be put in the certificate that the NFS
> server can check for.
> The simplest way would be a fairly long list of random characters in the
> organizationName and/or organizationUnitName field(s) of the subject name.
> Alternately, it could be a newly defined extension for X509v3, I think?
> Now, I'm not sure, but I don't think this certificate can be created via
> a trust authority such that it would "verify". However, the server can
> look for the "secret" in the certificate and allow the mount based on that.
> Does this sound reasonable?

Without a problem statement or what you're trying to accomplish, it's
hard to say if it is.

> Also, even if the NFS client/server have fixed IP addresses with well known
> DNS names, it isn't obvious to me how signed certificates can be acquired
> for them?
> (Lets Encrypt expects the Acme protocol to work and that seems to be
>  web site/http specific?)

There is DNS challenges that can be used.  I use them to obtain certs
for SMTP and SIP servers...  using nsupdate, this is relatively easy to
automate pushing the challenges to a DNS server, and I now use DNS
challenges for everything, including https.

> Thanks for any help with this, rick

Let me know if you'd like to hop on a call about this.

  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

More information about the freebsd-current mailing list