I can’t seem to find what is wrong with my mTLS setup:
Firstly using HTTPS for traffic:
- I have a private, and public key created for my Kong Enterprise server, as well as the CAs (DigiCert) certificates which issued the keys
- using Kong Manager, and the Certificates Menu option, I add my public/private keys in the Certificates tab, and, CA Certificates in the CA Certificates tab.
- I use the SNI menu to create an SNI entry with my Kong server as the SNI name, and link this the uploaded certificate defined in the previous step
Using Postman, I can make an HTTPS API request, and I see that this works well. The certificate returned by Kong is no longer the default self-signed cert, and this is accepted by POSTMAN.
Now I want to setup mTLS…
- I add the mTLS plugin, and specify the CA Certificate IDs from the ones entered in #2 above. These are the intermediary and root CA’s which signed the server’s keys.
- I setup my POSTMAN client with the same private/public and CA certs used in #1/#2 above and make another call.
Kong returns “TLS certificate failed verification” - which the documentation says means the certificate presented by the client could not be verified or has expired. I know it has not expired, and the certificate presented from the POSTMAN client has been issued by the CA’s certs I have entered in the plug-in.
So I do not know where to go from here.