TLS-Crypt-V2 keys must transfer/inline to a different x509 certificate

[TinCanTech]

Server TLS-Crypt-V2 keys are not tied to any specific X509 server in any cryptological manner, so transferring a key to a new server inline-file should be a simple copy function.

[TinCanTech]

.oO Do I use a new command or a command line option ... ?

[TinCanTech]

All TLS-Crypt-V2 keys can be used by multiple nodes of the same server or client designation. So, allow for inlining mixed X509 keys with a user selectable TLS-CV2 key.

[TinCanTech]

A different approach could be to create group keys.

• Servers Each server can only run one server key and can only accept client keys which it created. To run a single server key on multiple servers requires that this server key be accessible to multiple server inline files, this means that the reliance on a X509 Cert $common_name to key $name association must be broken.

Server TLS keys should be group keys by default.

• Clients Clients can all have unique keys but this may not be ideal in some environments. This is where the idea of a group key is more appropriate. This also means that the X509 cert $common_name to TLS Key name association must be broken for clients.

Client keys should allow for group key mode.

ho-hum..

[TinCanTech]

Something like:

• build-group-key-server ${group_key} > server-${group_key}-tcv2.key
• build-group-key-client ${server_group_key} ${client_group_key} > client-${client_group_key}-tcv2.key (No hwaddr possible for client group keys)
• inline-group-key ${x509_common_name} ${${type}_group_key} no-key|add-dh|no-md > ${type}-${x509_common_name}-${group_key}.inline

[TinCanTech]

OK - Now a standard server key is suitable. This is good.

[TinCanTech]

Currently, I am satisfied with how Client-GROUP keys are reusable.

[TinCanTech]

A Server key could simply be renamed to a new Server X509 name ..

[TinCanTech]

The server key must be completely free to roam.