Kong mTLS using AWS ALB and ACM

Hi All,

Would like to get some ideas/possible options on the for the below scenario:
Problem Statement: We want enable mTLS to add an extra layer of security to the public endpoints exposed via Kong.
Current Setup:

  • Kong Enterprise deployed in a DB less mode in AWS EKS cluster
  • AWS ALB is used as the Kong Ingress Controller
  • ACM is used for the generation of public certificates

Given private keys cannot be exported from the AWS ACM, what are the possible options to implement mTLS using Kong in the current setup as this would require the SSL termination at Kong instance.

Below are the reference docs we already followed:

There are 2 issues here.

  1. The tls handshake must be done with Kong for mTLS. You need a L4 Loadbalancer like NLB not ALB.
  2. Public ACM does not allow you to export private key which means your client won’t be able to present the client certificate to validate. You might need to use things like Private Certificate Authority - AWS Certificate Manager - Amazon Web Services (AWS) or some other CA to generate client certificate for you. amazon web services - How do I get client certificate from ACM? - Stack Overflow

Yeah this makes sense. Thanks for reply.

© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ