<div dir="ltr">Hello,<div><br></div><div>Using Kea 3.0.3 (& 3.1.7) with HA and TLS between servers.</div><div><br></div><div>The example config here: <a href="https://github.com/isc-projects/kea/blob/master/doc/examples/kea4/ha-load-balancing-server1-mt-with-tls.json">https://github.com/isc-projects/kea/blob/master/doc/examples/kea4/ha-load-balancing-server1-mt-with-tls.json</a> (lines 146-181) shows both certificate and key for each peer referenced.</div><div><br></div><div>This set up is working for us, but both private keys are present (on the filesystem) on both instances.</div><div>I'm seeking clarification as to whether this is correct behaviour? If the private key is to remain only on the instance it relates to (which it probably should), will this work?</div><div><br></div><div>                    "peers": [<br>                        // This is the configuration of this server instance.<br>                        {<br>                            "name": "server1",<br>                            // This specifies the URL of this server instance.<br>                            "url": "<a href="http://192.168.56.33:8005/">http://192.168.56.33:8005/</a>",<br>                            // Trust anchor aka certificate authority file or directory.<br>                            "trust-anchor": "/usr/lib/kea/CA.pem",<br>                            // Client certificate file name.<br>                            "cert-file": "/usr/lib/kea/server1_cert.pem",<br>                            // Private key file name.<br>                            "key-file": "/usr/lib/kea/server1_key.pem",<br>                            // Client certificates are required and verified.<br>                            "require-client-certs": true,<br>                            // This server is primary. The other one must be<br>                            // secondary.<br>                            "role": "primary"<br>                        },<br>                        // This is the configuration of the HA peer.<br>                        {<br>                            "name": "server2",<br>                            // Specifies the URL on which the partner's control<br>                            // channel can be reached.<br>                            "url": "<a href="http://192.168.56.66:8005/">http://192.168.56.66:8005/</a>",<br>                            // Trust anchor aka certificate authority file or directory.<br>                            "trust-anchor": "/usr/lib/kea/CA.pem",<br>                            // Client certificate file name.<br>                            "cert-file": "/usr/lib/kea/server2_cert.pem",<br>                            // Private key file name.<br>                            "key-file": "/usr/lib/kea/server2_key.pem",<br>                            // Client certificates are required and verified.<br>                            "require-client-certs": true,<br>                            // The partner is secondary. This server is primary.<br>                            "role": "secondary"<br>                        }<br>                    ]</div><div><br>Regards</div><div><br></div></div>