TLS Certificates
All flexFS server components communicate over TLS by default. On first startup, each server automatically generates a self-signed certificate if no certificate is found.
Auto-generated certificates
Section titled “Auto-generated certificates”When a server starts and does not find an existing certificate and key at its configured paths, it generates a self-signed certificate with the following properties:
| Property | Value |
|---|---|
| Key type | ECDSA P-256 |
| Subject | CN=flexfs, O=Paradigm4, Inc., L=Boston, ST=Massachusetts, C=US |
| DNS SANs | localhost |
| IP SANs | 127.0.0.1, ::1 |
| Validity | 100 years (876,000 hours) |
| Key usage | Digital Signature, Key Encipherment |
| Extended key usage | Server Authentication |
| Serial number | 128-bit random (per RFC 5280) |
| File permissions | 0600 (owner read/write only) |
Auto-generated certificates are suitable for development and internal deployments where all clients trust the server. For production deployments accessible over the internet, use custom certificates issued by a trusted CA.
Custom certificates
Section titled “Custom certificates”To use your own TLS certificates, provide the cert and key files via command-line flags on the server:
Metadata server (meta.flexfs)
Section titled “Metadata server (meta.flexfs)”meta.flexfs start --sslCert /path/to/cert.pem --sslKey /path/to/key.pemProxy server (proxy.flexfs)
Section titled “Proxy server (proxy.flexfs)”proxy.flexfs start --sslCert /path/to/cert.pem --sslKey /path/to/key.pemAdmin server (admin.flexfs)
Section titled “Admin server (admin.flexfs)”admin.flexfs start --sslCert /path/to/cert.pem --sslKey /path/to/key.pemCertificate paths
Section titled “Certificate paths”Each server stores its auto-generated certificate and key under the flexFS home folder:
| Server | Default cert path | Default key path |
|---|---|---|
meta.flexfs | ~/.flexfs/ssl/cert | ~/.flexfs/ssl/key |
proxy.flexfs | ~/.flexfs/ssl/cert | ~/.flexfs/ssl/key |
admin.flexfs | ~/.flexfs/ssl/cert | ~/.flexfs/ssl/key |
All three servers share the same default certificate paths. When using --sslCert and --sslKey, the server reads from the specified paths instead.
Disabling TLS
Section titled “Disabling TLS”TLS can be disabled on individual components. Common reasons include placing flexFS behind a reverse proxy (e.g., nginx) or load balancer that handles SSL termination, or for testing in trusted internal networks:
| Component | Flag |
|---|---|
meta.flexfs | --noSSL |
proxy.flexfs | --noSSL |
admin.flexfs | --noSSL |
Mount clients trust self-signed certificates by default (TLS verification is skipped for flexFS server connections). This simplifies deployment with auto-generated certificates.
Certificate rotation
Section titled “Certificate rotation”To rotate certificates:
- Replace the certificate and key files at the configured paths.
- Restart the server process. The new certificate will be loaded on startup.
Connected clients will reconnect and accept the new certificate automatically.
Next steps
Section titled “Next steps”- Authentication — token-based auth model
- End-to-end encryption — AES-256 encryption for data at rest