ConnectTlsOptions (passed in to connectTls) does not allow a client certificate and key options.

ListenTlsOptions (passed in to listenTls) does not allow a flag to request certificates from clients or a certificate authority option to validate those certificates.

ConnectTlsOptions does have a certFile option. IMO, this is poorly named as it doesn't distinguish between the CA certificate and the client certificate. Most other APIs would call that option something with "CA" in the name. In Node.js, it's called ca and cert is for the client certificate. In curl, it's called --cacert and --cert is for the client certificate.

certFile does make sense in ListenTlsOptions, though.

However, I don't think these options should be files as they could be loaded from a database or API (Consul, etcd, AWS Parameter Store, etc). See also #5810.

I propose deprecating certFile and adding the following options to ConnectTlsOptions:

• ca (to validate certificates from server, replaces certFile)
• cert (to present to server)
• key (to authenticate with server)

In ListenTlsOptions, deprecate certFile and keyFile and add the following options:

• cert (to present to clients, replaces certFile)
• key (to authenticate with clients, replaces keyFile)
• requestCert (to request certificates from clients)
• ca (to validate certificates from clients)