Under my Kong workspace I added my private key & signed certificate issued from other party/CA (CA essentially signed CSR sent from me)
I enabled Mutual TLS Authentication plugin. (Firstly I added Certificate Authority , for that I did POST curl request to the route /ca_certificates of Kong Host. By passing Root CA certificate shared to me from other party)
I added id generated from response of above request for the field config.ca_certificates under Kong UI – MTLS-Auth-Plugin
Now I have query regarding where exactly I need to place our Root-CA Certificate & Root-CA Key. Which I/CA used to sign other party’s CSR. Would the above endpoint accept Root-CA Key as well or should I need to place under (/usr/share/ca-certificate) path of VM hosting Kong & try running update-ca-certificate & restarting Kong.
Or is there any other way to configure my/CA Root-CA pair of certificate & key . ?
Correct me if I’m wrong anywhere in my understanding & kindly provide solution for above query
Since certificate presented by client is signed by me/my CA using my/CA’s Root-CA certificate & key before hand, my Root-CA-Certificate (& may be Root-CA-Key too) should be used to verify when client presents certificate. Is this right ?
If so, I believe I can do this using /ca_certificates with -F email@example.com ?
Isn’t there any need of client-root-ca-certificate (which was used by client CA to sign my/server’s CSR to get server certificate before hand) in any of verification ? (P.S - This server certificate will essentially be presented by server/kong during TLS handshake) ?