[Kea-users] Kea 3 HA with TLS - private keys

Frederick Bloggingtons frederickbloggingtons at gmail.com
Wed Apr 29 08:35:53 UTC 2026 

Hello,

Using Kea 3.0.3 (& 3.1.7) with HA and TLS between servers.

The example config here:
https://github.com/isc-projects/kea/blob/master/doc/examples/kea4/ha-load-balancing-server1-mt-with-tls.json
(lines 146-181) shows both certificate and key for each peer referenced.

This set up is working for us, but both private keys are present (on the
filesystem) on both instances.
I'm seeking clarification as to whether this is correct behaviour? If the
private key is to remain only on the instance it relates to (which it
probably should), will this work?

                    "peers": [
                        // This is the configuration of this server
instance.
                        {
                            "name": "server1",
                            // This specifies the URL of this server
instance.
                            "url": "http://192.168.56.33:8005/",
                            // Trust anchor aka certificate authority file
or directory.
                            "trust-anchor": "/usr/lib/kea/CA.pem",
                            // Client certificate file name.
                            "cert-file": "/usr/lib/kea/server1_cert.pem",
                            // Private key file name.
                            "key-file": "/usr/lib/kea/server1_key.pem",
                            // Client certificates are required and
verified.
                            "require-client-certs": true,
                            // This server is primary. The other one must be
                            // secondary.
                            "role": "primary"
                        },
                        // This is the configuration of the HA peer.
                        {
                            "name": "server2",
                            // Specifies the URL on which the partner's
control
                            // channel can be reached.
                            "url": "http://192.168.56.66:8005/",
                            // Trust anchor aka certificate authority file
or directory.
                            "trust-anchor": "/usr/lib/kea/CA.pem",
                            // Client certificate file name.
                            "cert-file": "/usr/lib/kea/server2_cert.pem",
                            // Private key file name.
                            "key-file": "/usr/lib/kea/server2_key.pem",
                            // Client certificates are required and
verified.
                            "require-client-certs": true,
                            // The partner is secondary. This server is
primary.
                            "role": "secondary"
                        }
                    ]

Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/kea-users/attachments/20260429/aa4a3165/attachment.htm>

More information about the Kea-users mailing list