Managing mTLS with the C# client
For the complete documentation index see: llms.txt
All documentation pages available in markdown.
Aerospike Database Enterprise Edition supports standard TLS and mutual authentication TLS (mTLS). This page describes how to configure a C# application to connect to an Aerospike cluster that uses mTLS.
You can find a fully-functional example project in the aerospike-tls-examples GitHub repository.
Keys and certificates
For mTLS, both the client and server must have their own private key and certificate. In the following example, they are both signed by the same Certificate Authority (CA).
Install the certificates and the key on the Aerospike server nodes:
- CA Certificate:
example.ca.crt - Server Certificate:
example.server.crt - Server Private Key:
example.server.key
Install the certificates and the key on the C# client nodes:
- CA Certificate:
example.ca.crt - Client Certificate:
example.client.crt - Client Private Key:
example.client.key
Aerospike configuration
The following example aerospike.conf configuration shows only the stanzas and directives that are relevant for this TLS configuration:
network { tls example.server { ca-file /opt/aerospike/etc/certs/example.ca.crt cert-file /opt/aerospike/etc/certs/example.server.crt key-file /opt/aerospike/etc/private/example.server.key }
service { tls-address any tls-port 4000 tls-name example.server tls-authenticate-client example.client }}The tls block in the network stanza defines the TLS configuration for the Aerospike Database certificate.
This is used in both standard TLS as well as in mTLS.
The name example.server is known as the TLS name.
This must match the value of the Common Name (CN) or Subject Alternative Name (SAN) of the server certificate example.server.crt.
It must also be referenced in the application code to connect to the cluster.
The following command verifies that the certificate has the expected CN value in the subject:
openssl x509 -in example.server.crt -text -noout | grep -E -- "Subject:" Subject: CN = example.server, O = "Aerospike, Inc.", C = USThe tls-authenticate-client directive specifies example.client.
This must match the value of the Common Name (CN) or Subject Alternative Name (SAN) of the client certificate example.client.crt.
The following command verifies that the certificate has the expected CN value in the subject:
openssl x509 -in example.client.crt -text -noout | grep -E -- "Subject:" Subject: CN = example.client, O = "Aerospike, Inc.", C = USC# client TLS configuration
During the TLS handshake, the client sends its certificate and a message encrypted with the client’s private key to the server.
The C# client passes client certificates to the server using the
TlsPolicy.clientCertificates field.
Import the client certificate and private key into a PKCS #12 (.pfx) file, then load it in your application:
using Aerospike.Client;using System.Security.Cryptography.X509Certificates;
TlsPolicy tlsPolicy = new();
X509Certificate2 clientCert = new( "/etc/aerospike/ssl/example.client.pfx", "changeit");
tlsPolicy.clientCertificates = new X509CertificateCollection(new X509Certificate[] { clientCert });If your cluster uses PKI-based user authentication (the client certificate’s CN is the Aerospike username), set AuthMode.PKI in the client policy. For transport-only mTLS with password-based users, omit authMode or leave it at the default AuthMode.INTERNAL:
ClientPolicy policy = new(){ tlsPolicy = tlsPolicy, authMode = AuthMode.PKI};C# application
A C# application that connects to an Aerospike cluster using mTLS:
- Must enable TLS in the client policy.
- Must specify the host’s TLS name.
- Must provide the client certificate in
TlsPolicy.clientCertificates. - Should log Aerospike debug messages when troubleshooting.
The following example connects to a cluster using mTLS:
using Aerospike.Client;using System.Security.Cryptography.X509Certificates;
Host host = new("127.0.0.1", "example.server", 4000);
TlsPolicy tlsPolicy = new();
X509Certificate2 clientCert = new( "/etc/aerospike/ssl/example.client.pfx", "changeit");
tlsPolicy.clientCertificates = new X509CertificateCollection(new X509Certificate[] { clientCert });
ClientPolicy policy = new(){ tlsPolicy = tlsPolicy, authMode = AuthMode.PKI};
AerospikeClient client = new(policy, host);The TLS name must match the Common Name (CN) or Subject
Alternative Name (SAN) in the server certificate, as well as the tls-name used
in the Aerospike configuration file.
To log Aerospike debug messages, see the C# client logging usage.
For standard TLS without mutual authentication, see Connecting.
See the TlsPolicy API documentation for additional TLS configuration options, including protocol selection and certificate revocation.