mTLS Setup returns 'TLS certificate failed verification'

I can’t seem to find what is wrong with my mTLS setup:

Firstly using HTTPS for traffic:

  1. I have a private, and public key created for my Kong Enterprise server, as well as the CAs (DigiCert) certificates which issued the keys
  2. using Kong Manager, and the Certificates Menu option, I add my public/private keys in the Certificates tab, and, CA Certificates in the CA Certificates tab.
  3. I use the SNI menu to create an SNI entry with my Kong server as the SNI name, and link this the uploaded certificate defined in the previous step

Using Postman, I can make an HTTPS API request, and I see that this works well. The certificate returned by Kong is no longer the default self-signed cert, and this is accepted by POSTMAN.

Now I want to setup mTLS…

  • I add the mTLS plugin, and specify the CA Certificate IDs from the ones entered in #2 above. These are the intermediary and root CA’s which signed the server’s keys.
  • I setup my POSTMAN client with the same private/public and CA certs used in #1/#2 above and make another call.

Kong returns “TLS certificate failed verification” - which the documentation says means the certificate presented by the client could not be verified or has expired. I know it has not expired, and the certificate presented from the POSTMAN client has been issued by the CA’s certs I have entered in the plug-in.

So I do not know where to go from here.


Hi Steve, did you try to use this same digicert TLS certificate for mTLS? (personally I never did that but it might work)

If so, I don’t see you creating consumer object. Did you create a consumer with username that match the digicert certificate CN?

You should also get more information from debug log.

Thanks for this. Yes, using the same digicert TLS Cert for mTLS should work.

You are correct - I did not setup a consumer object. I did not think this was required, and obviously missed that. After setting up a consumer with name = the CN of the certificate, my mTLS seems to work just fine.

Thanks you very much !!


I’m facing this issue where it displays in postman:
“message”: “No required TLS certificate was sent”

CA certificate configured in kong and postman, following the suggested solution, I also added a consumer with the CN of the CA and I still get the message:
“message”: “No required TLS certificate was sent”

I did the configuration following the kong docs documentation:

Sorry for the english, i’m from brazil

This error means that Kong did not receive any client certificate in your request.

This normally happens when you don’t terminate your TLS with Kong (for example, you are using ALB in front of Kong and terminate TLS with ALB).