You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -24,11 +24,6 @@ In ``did:x509`` the certificates are also used in the cryptographic proofs to ob
This means the certificate chain now provides the root of trust and has stricter requirements than connection certificates.
Trust in specific certificate CAs is configured per use-case in a :ref:`Discovery <discovery>` and :ref:`Policy <policy>` definition file.
In addition, all trusted CA chains must also be added to the ``tls.truststorefile``.
All CA certificates from chains trusted per the above definition files are automatically added to the CRL checker at runtime.
For certificate chains used in ``did:x509`` the Nuts-node always uses a hard-fail strategy, i.e., the ``pki.softfail`` config value is ignored during certificate validation for ``did:x509``.
This means that the Nuts-node will not be able to verify a ``did:x509`` DID or Verifiable Credential signed by this DID Method if the CRL cannot be downloaded and the CRL in the cache is older than ``pki.maxupdatefailhours``.
.. note::
Since the configured truststore file is now used for multiple purposes, it is no longer possible for the Nuts-node to determine what certificate chain is accepted/trusted for what purpose.
This means that all incoming TLS connections (including gRPC) must be offloaded in a proxy and validated against the expected certificate chain.
