GOST has three types of TLS certificates: self-generated certificate, global certificate, and service-level certificate.
GOST automatically generates a TLS certificate on every run, and if no certificate is specified, this certificate is used as the default.
Customize Certificate Information¶
- Validity period.
- Common Name.
The global certificate uses the automatically generated certificate by default, or you can specify a custom certificate file through configuration.
!!! tip "Default Files)
GOST will automatically load the
ca.pem files in the current working directory to initialize the global certificate.
The listeners and handlers of each service can set their own certificates separately, and the global certificate is used by default.
Clients can set certificates separately for dialers and connectors for each node.
- CA certificate file path. Setting up a CA certificate will enable Certificate Pinning.
- Enable server certificate and domain name verification.
secureis set to true, you need to specify the server domain name through this option for domain name verification. By default,
IP_OR_DOMAINin the setting is used as the serverName.
Mutual TLS authentication¶
If a CA certificate is set on the server, the client certificate will be verified, and the client must provide the certificate.
Certificate information set via the command line applies only to the listener or dialer.