Configuring an NFS Client with Mutual TLS Authentication

This task shows how to configure both the NFS client and server to authenticate each other using certificates during TLS encrypted connections. This ensures that only trusted systems can access NFS shares, providing extra security for sensitive or regulated environments.

Ensure that you have the following:

  • An NFSv4 server and client, both with TLS enabled.
  • The ktls-utils package installed on both systems.
  • You have the Certificate Authority (CA) certificate from the NFS server, or have generated a self-signed certificate on the NFS server as described in Generating a Self-Signed Certificate for TLS Authentication. If you're using a self-signed certificate begin with the step to import the certificate into the system trust store that follows.
  1. Create a client private key and CSR.

    Run the following command, substituting the correct values for Common Name (CN), DNS, and IP address:

    openssl req -new -newkey rsa:4096 -noenc \
   -keyout /etc/pki/tls/private/client.example.com.key \
   -out /etc/pki/tls/private/client.example.com.csr \
   -subj "/C=US/ST=State/L=City/O=Organization/CN=hostname" \
   -addext "subjectAltName=DNS:hostname,IP:host-ip-address"
  2. Obtain a client certificate.
    • Send the generated CSR to the CA and request a signed certificate.
    • Store the returned CA certificate and client certificate (client.example.com.crt) on the client.
  3. (Optional) Remove obsolete certificates.

    If you have been using self-signed certificates for testing, it's a good idea to remove any previous, obsolete anchors first. For example, to list the existing anchors and then remove an unwanted anchor:

    trust list

pkcs11:id=%43%0E%35%20%3B%78%60%39%D0%C7%F8%53%1A%B6%73%83%12%90%AC%5D;type=cert
type: certificate
label: Test CA
trust: anchor
category: authority
...
sudo trust anchor --remove pkcs11:id=%43%0E%35%20%3B%78%60%39%D0%C7%F8%53%1A%B6%73%83%12%90%AC%5D;type=cert
  4. Import the certificate into the system trust store.

    Run the following command to add the certificate as a new anchor in the system trust policy store:

    sudo trust anchor cert.pem
  5. Configure the client for mutual TLS.

    Edit /etc/tlshd.conf and add the following under the [authenticate.client] section: 

    x509.certificate = /etc/pki/tls/certs/client.example.com.crt
x509.private_key = /etc/pki/tls/private/client.example.com.key
  6. Enable and start the TLS daemon.

    Run the following command to enable tlshd immediately and whenever the system reboots: 

    sudo systemctl enable --now tlshd.service
  7. Mount the NFS share with mutual TLS.

    Run the following command, replacing nfs-server and path/to/share with the NFS server's host name and exported directory: 

    sudo mount -o xprtsec=mtls nfs-server:/path/to/share /mnt/
  8. Verify the connection.

    Run the following command. Look for a message in the output that says the server handshake was successful:

    sudo journalctl -u tlshd