Kong mTLS using AWS ALB and ACM

Questions
1

Hi All,

Would like to get some ideas/possible options on the for the below scenario:
Problem Statement: We want enable mTLS to add an extra layer of security to the public endpoints exposed via Kong.
Current Setup:

  • Kong Enterprise deployed in a DB less mode in AWS EKS cluster
  • AWS ALB is used as the Kong Ingress Controller
  • ACM is used for the generation of public certificates

Given private keys cannot be exported from the AWS ACM, what are the possible options to implement mTLS using Kong in the current setup as this would require the SSL termination at Kong instance.

Below are the reference docs we already followed:
https://docs.konghq.com/kubernetes-ingress-controller/1.3.x/guides/using-mtls-auth-plugin/

2

There are 2 issues here.

  1. The tls handshake must be done with Kong for mTLS. You need a L4 Loadbalancer like NLB not ALB.
  2. Public ACM does not allow you to export private key which means your client won’t be able to present the client certificate to validate. You might need to use things like Private Certificate Authority - AWS Certificate Manager - Amazon Web Services (AWS) or some other CA to generate client certificate for you. amazon web services - How do I get client certificate from ACM? - Stack Overflow
1 Like
3

Yeah this makes sense. Thanks for reply.

4

Isn’t the other option to terminate SSL in the WAF or ALB and enforce MTLS there, send the client cert info (CName or whatever) in a header, and then enforce the header in Kong?

5

I don’t think so.

Without server verifying the client certificate, it is not mTLS.

https://www.cloudflare.com/en-au/learning/access-management/what-is-mutual-tls/

6

What I meant was you could enforce MTLS in Cloudflare but pass cert into down to Kong so that the API either do additional validation or ensure that it did occur.