Skip to content

Managing mTLS with the C# client

For the complete documentation index see: llms.txt

All documentation pages available in markdown.

Aerospike Database Enterprise Edition supports standard TLS and mutual authentication TLS (mTLS). This page describes how to configure a C# application to connect to an Aerospike cluster that uses mTLS.

You can find a fully-functional example project in the aerospike-tls-examples GitHub repository.

Keys and certificates

For mTLS, both the client and server must have their own private key and certificate. In the following example, they are both signed by the same Certificate Authority (CA).

Install the certificates and the key on the Aerospike server nodes:

  • CA Certificate: example.ca.crt
  • Server Certificate: example.server.crt
  • Server Private Key: example.server.key

Install the certificates and the key on the C# client nodes:

  • CA Certificate: example.ca.crt
  • Client Certificate: example.client.crt
  • Client Private Key: example.client.key

Aerospike configuration

The following example aerospike.conf configuration shows only the stanzas and directives that are relevant for this TLS configuration:

Terminal window
network {
tls example.server {
ca-file /opt/aerospike/etc/certs/example.ca.crt
cert-file /opt/aerospike/etc/certs/example.server.crt
key-file /opt/aerospike/etc/private/example.server.key
}
service {
tls-address any
tls-port 4000
tls-name example.server
tls-authenticate-client example.client
}
}

The tls block in the network stanza defines the TLS configuration for the Aerospike Database certificate. This is used in both standard TLS as well as in mTLS.

The name example.server is known as the TLS name. This must match the value of the Common Name (CN) or Subject Alternative Name (SAN) of the server certificate example.server.crt. It must also be referenced in the application code to connect to the cluster. The following command verifies that the certificate has the expected CN value in the subject:

Command
Terminal window
openssl x509 -in example.server.crt -text -noout | grep -E -- "Subject:"
Example output
Subject: CN = example.server, O = "Aerospike, Inc.", C = US

The tls-authenticate-client directive specifies example.client. This must match the value of the Common Name (CN) or Subject Alternative Name (SAN) of the client certificate example.client.crt. The following command verifies that the certificate has the expected CN value in the subject:

Command
Terminal window
openssl x509 -in example.client.crt -text -noout | grep -E -- "Subject:"
Example output
Subject: CN = example.client, O = "Aerospike, Inc.", C = US

C# client TLS configuration

During the TLS handshake, the client sends its certificate and a message encrypted with the client’s private key to the server. The C# client passes client certificates to the server using the TlsPolicy.clientCertificates field.

Import the client certificate and private key into a PKCS #12 (.pfx) file, then load it in your application:

using Aerospike.Client;
using System.Security.Cryptography.X509Certificates;
TlsPolicy tlsPolicy = new();
X509Certificate2 clientCert = new(
"/etc/aerospike/ssl/example.client.pfx",
"changeit"
);
tlsPolicy.clientCertificates = new X509CertificateCollection(new X509Certificate[] { clientCert });

If your cluster uses PKI-based user authentication (the client certificate’s CN is the Aerospike username), set AuthMode.PKI in the client policy. For transport-only mTLS with password-based users, omit authMode or leave it at the default AuthMode.INTERNAL:

ClientPolicy policy = new()
{
tlsPolicy = tlsPolicy,
authMode = AuthMode.PKI
};

C# application

A C# application that connects to an Aerospike cluster using mTLS:

  • Must enable TLS in the client policy.
  • Must specify the host’s TLS name.
  • Must provide the client certificate in TlsPolicy.clientCertificates.
  • Should log Aerospike debug messages when troubleshooting.

The following example connects to a cluster using mTLS:

using Aerospike.Client;
using System.Security.Cryptography.X509Certificates;
Host host = new("127.0.0.1", "example.server", 4000);
TlsPolicy tlsPolicy = new();
X509Certificate2 clientCert = new(
"/etc/aerospike/ssl/example.client.pfx",
"changeit"
);
tlsPolicy.clientCertificates = new X509CertificateCollection(new X509Certificate[] { clientCert });
ClientPolicy policy = new()
{
tlsPolicy = tlsPolicy,
authMode = AuthMode.PKI
};
AerospikeClient client = new(policy, host);

The TLS name must match the Common Name (CN) or Subject Alternative Name (SAN) in the server certificate, as well as the tls-name used in the Aerospike configuration file.

To log Aerospike debug messages, see the C# client logging usage.

For standard TLS without mutual authentication, see Connecting.

See the TlsPolicy API documentation for additional TLS configuration options, including protocol selection and certificate revocation.

Feedback

Was this page helpful?

What type of feedback are you giving?

What would you like us to know?

+Capture screenshot

Can we reach out to you?