Encrypting Replication with mTLS

  • Updated on Jan 30, 2026
  • Published on Jan 27, 2026
  • 2 minute(s) read
Prev Next

VAST Cluster supports securing of the replication connection with mutual TLS (mTLS) encryption. With mTLS, each replication peer authenticates the other peer, and all traffic between the peers gets encrypted.

mTLS encryption requires that an mTLS certificate installed on each of the peer clusters and that each peer has secure mode enabled.

To configure mTLS encryption:

  1. Create a CA certificate, a CA key and a root certificate to be used by the replication peers

  2. Install the CA certificate, CA key and root certificate on each of the replication peers.

  3. Configure each replication peer to use secure mode (in replication peer settings).

Creating mTLS Certificates for Replication

  1. Create a new password-protected CA key and a root certificate to be used by the replication peers:

    openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj '/CN=Replication-Root-CA'

    Two files will be created:

    • ca.key that contains the password-protected CA key,

    • ca.crt that contains the root certificate.

  2. Verify the certificate details using the command:

    openssl x509 -in ca.crt -noout -text

  3. Create a new key/certificate pair per replication peer, and sign the certificate using the password-protected CA key created above:

    Note

    It is recommended to create one key/certificate pair per cluster.

    CLUSTER=myclustername
openssl genrsa -out ${CLUSTER}.key 2048
openssl req -new -key ${CLUSTER}.key -out ${CLUSTER}.csr -nodes -subj "/CN=Replication-$CLUSTER"
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in ${CLUSTER}.csr -out ${CLUSTER}.crt -days 1095

    Where myclustername is a hostname or cluster name used to identify the cluster in replication.

    Three files will be created:

    • myclustername.key that contains the cluster's key,

    • myclustername.crt that contains the cluster's certificate,

    • myclustername.csr, which is only used during the creation process and can be deleted.

  4. Verify the cluster certificate using the command:

    openssl x509 -in myclustername.crt -noout -text

    The cluster certificate details must include this string:

    Issuer: CN=Replication-Root-CA

Install mTLS Certificates on each Participating VAST Cluster

Installing mTLS Certificates from the VAST Web UI

  1. From the left navigation menu, select Settings and then Certificates

  2. From the Certificate for dropdown, select replication.

  3. Either paste the certificate file contents into the Certificate field or use the Upload button to upload the file, and paste or upload the key file content into the Key field and the root Certificate file contents in the Root Certificate field.

    When pasting the file content, include the BEGIN CERTIFICATE / BEGIN PRIVATE KEY and END CERTIFICATE / END PRIVATE KEY lines, like this:

    -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

  4. If the private key is password protected, enter the password in the Key Password field.

  5. Click Update.

Installing mTLS Certificates from the VAST CLI

To install the certificates using the VAST CLI, use the cluster modify command with the following parameters: --cluster-certificate, --cluster-private-key --root-certificate.

Related articles