diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md index af73a7887ddfc..3f48566c2da66 100644 --- a/enable-tls-between-components.md +++ b/enable-tls-between-components.md @@ -158,16 +158,17 @@ The Common Name is used for caller verification. In general, the callee needs to To verify component caller's identity, you need to mark the certificate user identity using `Common Name` when generating the certificate, and to check the caller's identity by configuring the `Common Name` list for the callee. +> **Note:** +> +> Currently the `cert-allowed-cn` configuration item of the PD can only be set to one value. Therefore, the `commonName` of all authentication objects must be set to the same value. + - TiDB Configure in the configuration file or command-line arguments: ```toml [security] - cluster-verify-cn = [ - "TiDB-Server", - "TiKV-Control", - ] + cluster-verify-cn = ["TiDB"] ``` - TiKV @@ -176,9 +177,7 @@ To verify component caller's identity, you need to mark the certificate user ide ```toml [security] - cert-allowed-cn = [ - "TiDB-Server", "PD-Server", "TiKV-Control", "RawKvClient1", - ] + cert-allowed-cn = ["TiDB"] ``` - PD @@ -187,7 +186,7 @@ To verify component caller's identity, you need to mark the certificate user ide ```toml [security] - cert-allowed-cn = ["TiKV-Server", "TiDB-Server", "PD-Control"] + cert-allowed-cn = ["TiDB"] ``` - TiFlash (New in v4.0.5) @@ -196,14 +195,14 @@ To verify component caller's identity, you need to mark the certificate user ide ```toml [security] - cert_allowed_cn = ["TiKV-Server", "TiDB-Server"] + cert_allowed_cn = ["TiDB"] ``` Configure in the `tiflash-learner.toml` file: ```toml [security] - cert-allowed-cn = ["PD-Server", "TiKV-Server", "TiFlash-Server"] + cert-allowed-cn = ["TiDB"] ``` ## Reload certificates