TLS Certificates
Managing TLS certificates for trojan-rs
trojan-rs requires TLS certificates for the server. You can use certificates from a Certificate Authority (CA) or generate self-signed certificates for testing.
Self-Signed Certificates
trojan-rs includes a built-in certificate generator using ECDSA P-256 keys.
trojan cert generate \
--domain example.com \
--domain localhost \
--ip 127.0.0.1 \
--output /etc/trojan \
--days 365Options
| Option | Description |
|---|---|
--domain | Domain names for Subject Alternative Names (repeatable) |
--ip | IP addresses for Subject Alternative Names (repeatable) |
--output | Output directory for certificate files |
--days | Certificate validity period (default: 365) |
--cert-filename | Certificate filename (default: cert.pem) |
--key-filename | Private key filename (default: key.pem) |
This generates two files:
cert.pem— Self-signed X.509 certificate in PEM formatkey.pem— ECDSA P-256 private key in PEM format
Using Self-Signed Certificates
On the server:
[tls]
cert = "/etc/trojan/cert.pem"
key = "/etc/trojan/key.pem"Clients connecting to a server with self-signed certificates need to either:
- Trust the CA/certificate explicitly via
caconfig option - Skip verification (for testing only) via
skip_verify = true
Let's Encrypt (ACME)
For production, use certificates from Let's Encrypt or another CA.
Using certbot
sudo certbot certonly --standalone -d your-domain.comThen configure:
[tls]
cert = "/etc/letsencrypt/live/your-domain.com/fullchain.pem"
key = "/etc/letsencrypt/live/your-domain.com/privkey.pem"Certificate Renewal
Let's Encrypt certificates expire every 90 days. Set up automatic renewal:
# Test renewal
sudo certbot renew --dry-run
# Add to crontab
0 0 1 * * certbot renew --quiet && systemctl reload trojanAfter renewal, send SIGHUP to the server to reload the new certificate (if supported), or restart the service.
Mutual TLS (mTLS)
trojan-rs supports client certificate authentication via mTLS. Configure the CA certificate that signed client certificates:
[tls]
cert = "/etc/trojan/cert.pem"
key = "/etc/trojan/key.pem"
client_ca = "/etc/trojan/client-ca.pem" # CA for verifying client certsWhen client_ca is set, the server requires clients to present a valid certificate signed by that CA during the TLS handshake, in addition to Trojan protocol authentication.
TLS Version Configuration
[tls]
min_version = "tls12" # Minimum: tls12 or tls13
max_version = "tls13" # Maximum: tls12 or tls13For maximum security, restrict to TLS 1.3 only:
[tls]
min_version = "tls13"
max_version = "tls13"ALPN Configuration
[tls]
alpn = ["http/1.1"]ALPN (Application-Layer Protocol Negotiation) is advertised during the TLS handshake. Setting ["http/1.1"] makes the server appear as a standard HTTPS server to network observers.