Light supports One-Way SSL by default in the light-codegen and Two-Way SSL by updating server.yml to enable. Unless you are using some old tools that don’t support HTTPS, it is recommended to use at least One-Way SSL even in the development phase, so you don’t have any surprise when releasing to an official test environment.
There are four keystore files can be generated from light-codegen depending on the config.json in the model-config repository.
Here is an example of config.json for light-codegen.
By default, the generated code will have server.keystore and server.truststore in the config folder. But if supportClient is true in config.json, then client.keystore and client.truststore will be generated as well.
The generated keystores and truststores contains self-signed certificates expire in the year 2023, and these should be used for development only. Once move to an official test environment, they need to be replaced with other self-signed certificates or CA-signed certificates.
Please refer to [self-signed vs. CA-signed certificate] for details on when to use self-signed or CA-signed certificate.
While connecting to a server with HTTPS, you should ask for the client certificate from the server admin. If you cannot get the certificate from the server admin, you can download it from the server with openssl.
When make TLS connection to the server, you need to add certificates into client.truststore most of the cases. For most developers, it might be a challenge to get it done right in the first place. If you connection is not established to the server, chances are that you have the client.truststore missing the client certifiate. To figure out if the connection issue is due to the certificate, you can enable the tls debug in your IDE.