Client Certificate Validation
Sometimes, for additional security or authentication purposes, you will want the server to validate who the client is before establishing an encrypted connection.
To support this, Ambassador can be configured to use a provided CA certificate to validate certificates sent from your clients. This allows for client-side mTLS where both Ambassador and the client provide and validate each other's certificates.
Prerequisites
- openssl For creating client certificates
- kubectl
- Ambassador Edge Stack
- cURL
Configuration
Create a certificate and key.
This can be done with a single command with
openssl
:openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365Enter a passcode for PEM files and fill in the certificate information. Since this certificate will only be shared between a client and Ambassador, the Common Name must be set to something. Everything else can be left blank.
Note: If using MacOS, you must add the certificate and key as a PKCS encoded file to your Keychain. To do this:
Encode
cert.pem
andkey.pem
created above in PKCS formatopenssl pkcs12 -inkey key.pem -in cert.pem -export -out certificate.p12Open "Keychain Access" on your system and select "File"->"Import Items..."
Navigate to your working directory and select the
certificate.p12
file we just created above.
Create a secret to hold the client CA certificate.
kubectl create secret generic client-cacert --from-file=tls.crt=cert.pemConfigure Ambassador Edge Stack to use this certificate for client certificate validation.
First create a
Host
to manage your domain:apiVersion: getambassador.io/v2kind: Hostmetadata:name: example-hostspec:hostname: host.example.comacmeProvider:email: julian@example.comThen create a
TLSContext
to configure advanced TLS options like client certificate validation:---apiVersion: getambassador.io/v2kind: TLSContextmetadata:name: example-host-contextspec:hosts:- host.example.comsecret: host.example.comca_secret: client-cacertcert_required: false # Optional: Configures Ambassador to reject the request if the client does not provide a certificate. Default: falseNote: Client certificate validation requires Ambassador Edge Stack be configured to terminate TLS
Ambassador is now be configured to validate certificates that the client provides.
Test that Ambassador is validating the client certificates with
curl
Linux:
curl -v --cert cert.pem --key key.pem https://host.example.com/MacOS:
curl -v --cert certificate.p12:[password] https://host.example.com/Looking through the verbose output, you can see we are sending a client certificate and Ambassador is validating it.
If you need further proof, simply create a new set of certificates and try sending the curl with those. You will see Ambassador deny the request.
Questions?
We’re here to help. If you have questions, join our Slack or contact us.