To ensure that only trusted client applications have access to a server instance, configure the server instance to require client authentication:
Set the ssl-verify-peer-mode configuration
property to verify-peer-require-peer-cert.
Configure the server instance to use the system provided CA store, a server specific CA store, or both.
Use these configuration properties to control the CA stores used by the server instance:
x509-ca-file-store specifies a
PEM formatted CA store to authenticate clients.
x509-use-system-store directs the
server instance to use the system’s CA store to authenticate
clients.
x509-use-system-store does not work on Windows.
Optionally configure the server instance to respect any certificate revocation lists (CRLs) in the CA store.
Specify this behavior by adding the x509-use-crl property
to the server’s configuration. If this property is not specified,
the server instance ignores the CRLs and may authenticate clients
using revoked credentials.
You must add a CRL list to the server’s CA store before
adding the x509-use-crl property. If the CA store
does not include a CRL list, the server will crash.
This configuration excerpt configures a server instance to authenticate clients using the system CA store and to respect CRLs:
... --https 9920 --x509-cert-chain ./x509/my-cert.pem --x509-private-key ./x509/my-key.pem --x509-passphrase ./x509/my-passphrase --ssl-verify-peer-mode verify-peer-require-cert --x509-use-system-store --x509-use-crl ...