3 min • read

Client certificate validation

Sometimes, for additional security or authentication purposes, you will want the server to validate who the client is before establishing an encrypted connection.

To support this, Ambassador Edge Stack can be configured to use a provided CA certificate to validate certificates sent from your clients. This allows for client-side mTLS where both Ambassador Edge Stack and the client provide and validate each other's certificates.

Prerequisites

Configuration

  1. Create a certificate and key.

    This can be done with a single command with openssl:

    Enter a passcode for PEM files and fill in the certificate information. Since this certificate will only be shared between a client and Ambassador Edge Stack, the Common Name must be set to something. Everything else can be left blank.

    Note: If using MacOS, you must add the certificate and key as a PKCS encoded file to your Keychain. To do this:

    1. Encode cert.pem and key.pem created above in PKCS format

    2. Open "Keychain Access" on your system and select "File"->"Import Items..."

    3. Navigate to your working directory and select the certificate.p12 file we just created above.

  2. Create a secret to hold the client CA certificate.

  3. Configure Ambassador Edge Stack to use this certificate for client certificate validation.

    First create a Host to manage your domain:

    Then create a TLSContext to configure advanced TLS options like client certificate validation:

    Note: Client certificate validation requires Ambassador Edge Stack be configured to terminate TLS

    Ambassador Edge Stack is now be configured to validate certificates that the client provides.

  4. Test that Ambassador Edge Stack is validating the client certificates with curl

    Linux:

    MacOS:

    Looking through the verbose output, you can see we are sending a client certificate and Ambassador Edge Stack is validating it.

    If you need further proof, simply create a new set of certificates and try sending the curl with those. You will see Ambassador Edge Stack deny the request.