TLS Certificates

All flexFS server components communicate over TLS by default. On first startup, each server automatically generates a self-signed certificate if no certificate is found.

Auto-generated certificates

When a server starts and does not find an existing certificate and key at its configured paths, it generates a self-signed certificate with the following properties:

| Property | Value | |---|---| | Key type | ECDSA P-256 | | Subject | CN=flexfs, O=Paradigm4, Inc., L=Boston, ST=Massachusetts, C=US | | DNS SANs | localhost | | IP SANs | 127.0.0.1, ::1 | | Validity | 100 years (876,000 hours) | | Key usage | Digital Signature, Key Encipherment | | Extended key usage | Server Authentication | | Serial number | 128-bit random (per RFC 5280) | | File permissions | 0600 (owner read/write only) |

Auto-generated certificates are suitable for development and internal deployments where all clients trust the server. For production deployments accessible over the internet, use custom certificates issued by a trusted CA.

Custom certificates

To use your own TLS certificates, provide the cert and key files via command-line flags on the server:

Metadata server (meta.flexfs)

meta.flexfs start --sslCert /path/to/cert.pem --sslKey /path/to/key.pem

Proxy server (proxy.flexfs)

proxy.flexfs start --sslCert /path/to/cert.pem --sslKey /path/to/key.pem

Admin server (admin.flexfs)

admin.flexfs start --sslCert /path/to/cert.pem --sslKey /path/to/key.pem

Tip

The certificate file should contain the full chain (server certificate followed by any intermediate certificates) in PEM format. The key file should contain the private key in PEM format.

Certificate paths

Each server stores its auto-generated certificate and key under the flexFS home folder:

| Server | Default cert path | Default key path | |---|---|---| | meta.flexfs | ~/.flexfs/ssl/cert | ~/.flexfs/ssl/key | | proxy.flexfs | ~/.flexfs/ssl/cert | ~/.flexfs/ssl/key | | admin.flexfs | ~/.flexfs/ssl/cert | ~/.flexfs/ssl/key |

All three servers share the same default certificate paths. When using --sslCert and --sslKey, the server reads from the specified paths instead.

Disabling TLS

TLS can be disabled on individual components. Common reasons include placing flexFS behind a reverse proxy (e.g., nginx) or load balancer that handles SSL termination, or for testing in trusted internal networks:

| Component | Flag | |---|---| | meta.flexfs | --noSSL | | proxy.flexfs | --noSSL | | admin.flexfs | --noSSL |

Caution

Disabling TLS exposes all traffic — including authentication tokens — in plaintext. Only disable TLS in trusted network environments.

Mount clients trust self-signed certificates by default (TLS verification is skipped for flexFS server connections). This simplifies deployment with auto-generated certificates.

Certificate rotation

To rotate certificates:

1. Replace the certificate and key files at the configured paths.
2. Restart the server process. The new certificate will be loaded on startup.

Connected clients will reconnect and accept the new certificate automatically.

Next steps

• Authentication — token-based auth model
• End-to-end encryption — AES-256 encryption for data at rest