Hi, I’m setting up mutual authentication on Kong. As far I understand to achieve the same I’m following below steps :
Step 1: I need to add certificate(self-signed X509/CA signed) & key (private) of my host (first-party) [under my workspace]
Step 2: I need to add shared certificate provided by other party(client). But then ‘key’ part in is supposed to be empty, but Kong doesn’t allow this ? How is this supposed to be resolved ?
Step 3: I need to enable mtls-auth plugin, where in I need to provide id generated in step 2 for the field config.ca_certificates.
Correct me if I’m wrong anywhere & kindly answer my query mentioned in step two.
Under my Kong workspace I added my private key & signed certificate issued from other party/CA (CA essentially signed CSR sent from me)
I enabled Mutual TLS Authentication plugin. (Firstly I added Certificate Authority , for that I did POST curl request to the route /ca_certificates of Kong Host. By passing Root CA certificate shared to me from other party)
I added id generated from response of above request for the field config.ca_certificates under Kong UI – MTLS-Auth-Plugin
Now I have query regarding where exactly I need to place our Root-CA Certificate & Root-CA Key. Which I/CA used to sign other party’s CSR. Would the above endpoint accept Root-CA Key as well or should I need to place under (/usr/share/ca-certificate) path of VM hosting Kong & try running update-ca-certificate & restarting Kong.
Or is there any other way to configure my/CA Root-CA pair of certificate & key . ?
Correct me if I’m wrong anywhere in my understanding & kindly provide solution for above query
Since certificate presented by client is signed by me/my CA using my/CA’s Root-CA certificate & key before hand, my Root-CA-Certificate (& may be Root-CA-Key too) should be used to verify when client presents certificate. Is this right ?
If so, I believe I can do this using /ca_certificates with -F cert=@my-ca-root-cert.pem ?
Isn’t there any need of client-root-ca-certificate (which was used by client CA to sign my/server’s CSR to get server certificate before hand) in any of verification ? (P.S - This server certificate will essentially be presented by server/kong during TLS handshake) ?
Hi, Currently I’m facing a problem with the way Kong is presenting certificate when client makes a request to a route under a workspace which has certificate configured i.e.
It is presenting the default certificate (which is at path - /usr/local/kong/ssl/kong-default.crt)
not the certificate I configured at workspace level
(Note - I’ve enabled mutual authentication plugin and added required ca certificates)
Query:- How could we enable Kong to present the configured certificates to the client at the workspace level?