Mutual Authentication using client certificates

Hi,
I’m working in a team that’s building an IoT management platform. We have a requirement to implement mutual authentication using X509 Certificates.
Our platform should enable clients to upload their own client CA certs. Devices accessing our system should hold their own client certs and keys. When a message from a device arrives, we want to be able to authenticate them dynamically, using specific client CA cert that was uploaded earlier.
We are using Kong as our system GW. I didn’t find any plugin that provides this behavior, nor the ability in the lua-nginx-module/lua-resty-core ssl component to manipulate client certificates.

Questions for this forum:

  • Am I missing something?
  • Is there a plan to create an MA plugin?
  • Any suggestions as to how I should tackle this if we want to implement this ourselves?

Thanks!

Do you actually want to let them to upload their own CA?
Or do they submit their certificates to your own CA and get a certificate back?

It is possible with https://github.com/Kong/kong/pull/3681

Yes, it is on Kong’s roadmap, but when exactly I can’t say.

If you have clients submit certificate requests to a CA service, the design becomes much cleaner.

  • No need to hold onto all the client generated CA server-side: easier to scale!
  • You can use the normal nginx ssl_client_certificate directive
  • Client private keys still never leave the device

++ @milaw

@James_Callahan Thanks a lot for the quick response.

Do you actually want to let them to upload their own CA?
Or do they submit their certificates to your own CA and get a certificate back?

The goal is to let the clients upload their own CA.
I’m aware that in case we use our CA to sign their certificates, it makes everything easier. However, the requirement was as I described.

– Rami