Sometimes, for additional security or authentication purposes, you will want the server to validate who the client is before establishing an encrypted connection.
To support this, Emissary-ingress can be configured to use a provided CA certificate to validate certificates sent from your clients. This allows for client-side mTLS where both Emissary-ingress and the client provide and validate each other's certificates.
Create a certificate and key.
This can be done with a single command with
Enter a passcode for PEM files and fill in the certificate information. Since this certificate will only be shared between a client and Emissary-ingress, the Common Name must be set to something. Everything else can be left blank.
Note: If using MacOS, you must add the certificate and key as a PKCS encoded file to your Keychain. To do this:
key.pemcreated above in PKCS format
Open "Keychain Access" on your system and select "File"->"Import Items..."
Navigate to your working directory and select the
certificate.p12file we just created above.
Create a secret to hold the client CA certificate.
Configure Emissary-ingress to use this certificate for client certificate validation.
First create a
Hostto manage your domain:
Then create a
TLSContextto configure advanced TLS options like client certificate validation:
Note: Client certificate validation requires Emissary-ingress be configured to terminate TLS
Emissary-ingress is now be configured to validate certificates that the client provides.
Test that Emissary-ingress is validating the client certificates with
Looking through the verbose output, you can see we are sending a client certificate and Emissary-ingress is validating it.
If you need further proof, simply create a new set of certificates and try sending the curl with those. You will see Emissary-ingress deny the request.