Etcd backup -- what is the use of ca.crt and server.key?

I am new to these certificates. As far as I understood the client sends client.crt to server and server sends server.crt to client for autherntication. so my question is y r we sending server.key and ca.crt to the etcd server ???

  1. sudo ETCDCTL_API=3 etcdctl snapshot save snapshot.db --cacert /etc/kubernetes/pki/etcd/ca.crt --cert /etc/kubernetes/pki/etcd/server.crt --key /etc/kubernetes/pki/etcd/server.key

Similarly, to configure etcd with secure client communication, specify flags --key-file=k8sclient.key and --cert-file=k8sclient.cert
please refer to this for more info Operating etcd clusters for Kubernetes | Kubernetes


What is happening here is Mutual TLS Authentication. The only thing being sent to the etcd server is server.crt

ca.crt is being used to verify the authenticity of the certificate being returned to etcdctl by the etcd server

Please also refer

Hi Alistair_KodeKloud.
Thank you for clearing why we need to send ca.crt.
if only server.crt is being send to the etcd server then why did we mention --key /etc/kubernetes/pki/etcd/server.key ? what is use of this ? what is the server.key used for?


The only file sent to the server by etcdctl is server.crt - in order to say to the server “this is who I am”.

ca.crt is used to validate the .crt being sent back to the client by the server.
server.key is used by the client to decrypt messages being sent to the client from the server.

A .crt file apart from proof of identity, contains a public key which is used to encrypt messages.

A .key file contains a private key which is used to decrypt messages encrypted with the corresponding public key (above).

A ca.crt file is used to check other certificates to see if they were signed by this ca.crt so is an identity validation.

1 Like

For ease, both etcdctl and etcd server have the same copy of all three files.
For better security etcdctl could have different .crt and .key files, but those would have to be issued by the same CA, and therefore both ends would have the same copy of ca.crt

Certificate authority certificates are public knowledge, and your own computer contains many of them for the well known certificate authorities like GlobalSign etc.

Thank you Alistair_KodeKloud, understood it clearly now .