I can’t seem to find what is wrong with my mTLS setup:
Firstly using HTTPS for traffic:
I have a private, and public key created for my Kong Enterprise server, as well as the CAs (DigiCert) certificates which issued the keys
using Kong Manager, and the Certificates Menu option, I add my public/private keys in the Certificates tab, and, CA Certificates in the CA Certificates tab.
I use the SNI menu to create an SNI entry with my Kong server as the SNI name, and link this the uploaded certificate defined in the previous step
Using Postman, I can make an HTTPS API request, and I see that this works well. The certificate returned by Kong is no longer the default self-signed cert, and this is accepted by POSTMAN.
Now I want to setup mTLS…
I add the mTLS plugin, and specify the CA Certificate IDs from the ones entered in #2 above. These are the intermediary and root CA’s which signed the server’s keys.
I setup my POSTMAN client with the same private/public and CA certs used in #1/#2 above and make another call.
Kong returns “TLS certificate failed verification” - which the documentation says means the certificate presented by the client could not be verified or has expired. I know it has not expired, and the certificate presented from the POSTMAN client has been issued by the CA’s certs I have entered in the plug-in.
Hi
Thanks for this. Yes, using the same digicert TLS Cert for mTLS should work.
You are correct - I did not setup a consumer object. I did not think this was required, and obviously missed that. After setting up a consumer with name = the CN of the certificate, my mTLS seems to work just fine.
I’m facing this issue where it displays in postman:
“message”: “No required TLS certificate was sent”
CA certificate configured in kong and postman, following the suggested solution, I also added a consumer with the CN of the CA and I still get the message:
“message”: “No required TLS certificate was sent”
I did the configuration following the kong docs documentation: