Incus: mutual TLS auth by DN?

inflatador · January 31, 2026, 4:24pm

Does anyone know if it is possible to tell Incus which certificate distinguished names to trust? I’m thinking to something like OpenSearch 's mTLS implementation.

I’m very new to Incus, but it looks like its trust commands revolve around individual certificates, which means every time I update a short-lived client certificate, I have to update my Incus trust settings. Just wondering if there is a way to avoid that.

stgraber · February 1, 2026, 2:50pm

For certificates we only support two options:

Trusting of individual certificates (as you’ve seen)
Trust of a certificate CA

When using a CA, you then have two enforcement options:

Use the CA in addition to the trust store, effectively just requiring all trust store entries be signed by the CA
Use the CA without the trust store, effectively trusting any valid certificate that was signed be the CA

The latter option may work for you with short lived certificates.
Generally for more flexible authentication, we tend to rely on OIDC, effectively delegating the whole thing to an external IdP.

inflatador · February 1, 2026, 6:30pm

ACK, thanks for the follow-up. I need to get better at OIDC and SSO-type stuff in general, so I’ll start looking in that direction soon. In the meantime, it’s no big deal to update the incus truststore.