Need information on setting up of mutual authentication on Kong

Hi, I’m setting up mutual authentication on Kong. As far I understand to achieve the same I’m following below steps :

Step 1: I need to add certificate(self-signed X509/CA signed) & key (private) of my host (first-party) [under my workspace]

Step 2: I need to add shared certificate provided by other party(client). But then ‘key’ part in is supposed to be empty, but Kong doesn’t allow this ? How is this supposed to be resolved ?

Step 3: I need to enable mtls-auth plugin, where in I need to provide id generated in step 2 for the field config.ca_certificates.

Correct me if I’m wrong anywhere & kindly answer my query mentioned in step two.

You are adding a Certificate and not a CACertificate.
Those are two separate entities in Kong.

In other words I’m following below steps :

  1. Under my Kong workspace I added my private key & signed certificate issued from other party/CA (CA essentially signed CSR sent from me)

  2. I enabled Mutual TLS Authentication plugin. (Firstly I added Certificate Authority , for that I did POST curl request to the route /ca_certificates of Kong Host. By passing Root CA certificate shared to me from other party)

(curl -sX POST https://kong:8001/ca_certificates -F cert = @cert.pem )

  1. I added id generated from response of above request for the field config.ca_certificates under Kong UI – MTLS-Auth-Plugin

Now I have query regarding where exactly I need to place our Root-CA Certificate & Root-CA Key. Which I/CA used to sign other party’s CSR. Would the above endpoint accept Root-CA Key as well or should I need to place under (/usr/share/ca-certificate) path of VM hosting Kong & try running update-ca-certificate & restarting Kong.

Or is there any other way to configure my/CA Root-CA pair of certificate & key . ?

Correct me if I’m wrong anywhere in my understanding & kindly provide solution for above query

I need to place our Root-CA Certificate & Root-CA Key

What does this Root CA Cert and Key do?

You need only two things:

  • A cert and Key for Kong to present to your client. You do this using /certificates.
  • A CA cert (can be an intermediate one too) which can be used to verify the certificate presented by the client.

How to achieve this. ?

Since certificate presented by client is signed by me/my CA using my/CA’s Root-CA certificate & key before hand, my Root-CA-Certificate (& may be Root-CA-Key too) should be used to verify when client presents certificate. Is this right ?

If so, I believe I can do this using /ca_certificates with -F cert=@my-ca-root-cert.pem ?

Isn’t there any need of client-root-ca-certificate (which was used by client CA to sign my/server’s CSR to get server certificate before hand) in any of verification ? (P.S - This server certificate will essentially be presented by server/kong during TLS handshake) ?

You can specify a certificate chain in cert field if you need that.

Hi, Currently I’m facing a problem with the way Kong is presenting certificate when client makes a request to a route under a workspace which has certificate configured i.e.

It is presenting the default certificate (which is at path - /usr/local/kong/ssl/kong-default.crt)
not the certificate I configured at workspace level

(Note - I’ve enabled mutual authentication plugin and added required ca certificates)

Query:- How could we enable Kong to present the configured certificates to the client at the workspace level?

Since you are using Kong Enterprise, please use our official Enterprise support channel: