DirectRoot, I ran into a similar testing scenario as you (testing the Boundary API tls server cert and client cert verification) and after much digging was able to resolve it!
My scenario setup:
- Boundary Desktop is on Windows 10, v1.2.1
- Boundary Controller and Worker are on Linux, v0.5.1
- I have a self-sign root CA which has signed my Boundary API tls cert (used for API HTTPS) and my client cert (used for desktop PKI).
Once importing the self-signed Root CA and PKI cert in to a browser (firefox) on the windows 10 host I am able to reach the Boundary API - no worries.
To reach the Boundary API from the Boundary Desktop Application using self-sign certs I had to do the following:
- Launch Windows cert manager (crtmgr)
- Import the self-signed Root CA cert in to ‘Trusted Root Certification Authorities’
- Import the self-signed PKI cert in to ‘Personal’ (optional if you’re not using client side PKI)
- And finally, launch Boundary Desktop from powershell with the following command and cmdline flag
Boundary Desktop is an Electron App so I was able to resolve it digging through the docs - Supported Command Line Switches | Electron
Boundary Devs - If you’re reading, this is probably worth adding to your docs somewhere as I’d imagine there’s plenty of folk testing the Boundary API/Desktop with self-signed certs.
I hope this helps!