Replies: 1 comment 4 replies
-
|
@msmost Currently, the route-level mTLS support is lack for APISIX.
Did you mean, for different clients, you may use different CA certificate to verify their cert? |
Beta Was this translation helpful? Give feedback.
-
Correct. Each client would have a cert signed by different CA certificates. An example would be when we do not have possession of the CA certificate. Self-signed certificates can be used for setting up mTLS as long as the public key has been shared with us for verification. |
Beta Was this translation helpful? Give feedback.
-
|
Got it. So the concern will be how to choose the correct CA when doing the TLS handshake. |
Beta Was this translation helpful? Give feedback.
-
|
Has there been any other desire from the community to establish route level configuration support for mTLS? |
Beta Was this translation helpful? Give feedback.
-
|
+1 Would love to have route-level mTLS support, we have the exact same use-case. |
Beta Was this translation helpful? Give feedback.
-
After reading the Configure mTLS for client to APISIX tutorial, the options for configuring mTLS fall short of our desired use case.
Our use case would have APISIX:
Support client certificate authentication on a specific
route.The tutorial shows that during the Configure the
routein APISIX step, there isn't any part of therouteconfiguration that ties back to the mTLS setup. We conclude that when mTLS is configured ALLroutes are affected.We searched for a plugin that would assist in this configuration and weren't able to find one.
Support multiple client certificates to support authentication for multiple clients.
The tutorial shows how to add a single client certificate to an SSL object (Configure the certificate in APISIX). However, we need to be able to authenticate multiple clients using different certificates.
Beta Was this translation helpful? Give feedback.
All reactions