How do the /certificates and /snis endpoints work?

I have been trying to make use of the /certificates and /snis end point, but I can’t seem to make it work, and the documentation is rather sparse.

What I tried was adding a certificate for a server name, and was assuming this would automatically be picked up if I use the 8443 port of Kong with that host name.

Apparently there is some more configuration to do to make it work, but I do not know what?

Does the API also need to have the same host set? Currently, I am only using paths (uris) to resolve the APIs, and nothing else, and was hoping I could switch out the SSL certificate by simply adding a certificate via the /certificates end point. But, a curl -v tells me it still uses the certificate which comes with Kong (on localhost, by Kong).

Ideas? What am I missing here?

/Martin

1 Like

Hi! Yes, I believe you need to set the hosts in order to map the APIs to the snis.

@DonMartin76 Hi,

Your SSL client needs to support the SNI extension, and send the SNI as part of the client hello during the handshake. After all, this is why the entity is called sni in Kong :slight_smile:

Theoretically, there should be no need to register the API with the same HTTP Host, but that is usually how clients like curl implement the SNI extension. So if you set a different Host for your API definition, and request the API like so, it would typically not work. Better define the same SNI as the Host you will be requesting your API with.

2 Likes

When I get back on Monday, I’ll try this again, and post the list of curl commands I tried to make it work. There is no restriction on self-signed certificates, is there?