Kong API Gateway offers a few plugins to handle mutual TLS (mTLS) authentication and related features. These plugins ensure that clients are authenticated using certificates, providing an additional layer of security beyond standard TLS encryption. Key mTLS Plugins for Kong API Gateway mtls-auth Plugin (Kong Enterprise) Mutual TLS Authentication Plugin (Kong Gateway OSS) Basic Authentication with mTLS (Combined Usage) Custom mTLS Logic with Lua (Advanced Use Case) 1. mtls-auth Plugin (Kong Enterprise) Description: This plugin is available in Kong Enterprise and is specifically designed for mTLS authentication. It validates the client certificate presented during the TLS handshake against a set of CA certificates stored in Kong. Features: Validates client certificates using specified CA certificates. Supports multiple CA certificates. Can pass the client certificate information to upstream services. Configurable to allow or restrict access based on client certificate IDs. Configuration Options: config.ca_certificates: List of CA certificate IDs used to verify client certificates. config.allowed_client_certificates: List of client certificate IDs allowed to access the service or route. config.pass_client_cert: Boolean to decide whether to pass client certificate info to upstream services. 2. Mutual TLS Authentication Plugin (Kong Gateway OSS) Description: This plugin provides basic mTLS functionality in the open-source version of Kong. It requires client certificates for authentication and validates them against the provided CA certificates. Features: Validates client certificates using CA certificates. Simpler than the mtls-auth plugin and may not support advanced enterprise features. Configuration Options: ca_certificates: Array of CA certificate IDs for validation. allowed_client_certificates: Array of specific client certificates IDs. 3. Basic Authentication with mTLS (Combined Usage) Description: Although not an mTLS plugin by itself, Kong allows combining basic authentication plugins (like basic-auth) with mTLS for a two-layered authentication approach. Usage: Apply both the basic-auth plugin and the mtls-auth plugin to a service or route. Requires both a valid client certificate and a valid basic authentication credential. 4. Custom mTLS Logic with Lua (Advanced Use Case) Description: For advanced use cases where you need custom mTLS handling beyond what the plugins provide, you can use Kong’s serverless capabilities to write custom logic using Lua in a plugin like serverless-functions. Use Cases: Custom certificate validation logic. Dynamic CA certificate selection. Additional logging and monitoring for mTLS events. Choosing the Right Plugin For Enterprise Needs: If you have a Kong Enterprise license, the mtls-auth plugin is the most feature-rich option, offering advanced mTLS configurations and management capabilities. For Open Source Users: The Mutual TLS Authentication Plugin is available in Kong Gateway OSS but with fewer features. It’s suitable for basic mTLS needs. For Custom Logic: If your use case requires custom logic, consider using Lua scripting with serverless-functions to implement advanced mTLS workflows. Conclusion These plugins allow Kong to enforce mTLS for enhanced security. The choice between them depends on your version of Kong (Enterprise vs. OSS) and your specific security requirements. Configure mTLS plugin for kong api gateway

To configure mTLS (mutual TLS) in Kong API Gateway, you need to use the mtls-auth plugin, which validates client certificates against a set of trusted Certificate Authorities (CA). This process involves uploading the CA certificate to Kong, enabling the mtls-auth plugin for a service or route, and testing the configuration.
Steps to Configure mTLS in Kong
1. Upload CA Certificate to Kong
2. Enable the mtls-auth Plugin for a Service or Route
3. Test the mTLS Configuration
Step 1: Upload CA Certificate to Kong
You must upload the CA certificate to Kong so it can validate the client certificates.
1. Upload the CA Certificate using Kong Admin API:

curl -i -X POST http://:8001/ca_certificates \
–data “cert=@/path/to/ca.crt”
o Replace with your Kong Admin URL.
o This will upload the CA certificate to Kong, which will then be used to verify client certificates.
2. Check the Uploaded CA Certificate: Verify that the CA certificate has been uploaded correctly by listing all CA certificates:

curl -i -X GET http://:8001/ca_certificates
Step 2: Enable the mtls-auth Plugin
1. Enable the Plugin on a Service: You can apply the mtls-auth plugin to a specific service in Kong.

curl -i -X POST http://:8001/services//plugins \
–data “name=mtls-auth” \
–data “config.ca_certificates=” \
–data “config.allow_any_client_cert=true”
o Replace with the name or ID of the service you want to protect.
o Replace with the ID of the CA certificate you uploaded in step 1.
o allow_any_client_cert=true allows any client certificate issued by the uploaded CA to access the service.
2. Enable the Plugin on a Route: Alternatively, you can apply the plugin to a specific route.

curl -i -X POST http://:8001/routes//plugins \
–data “name=mtls-auth” \
–data “config.ca_certificates=” \
–data “config.allow_any_client_cert=true”
o Replace with the ID of the route you want to protect.
3. Optional Configuration Options:
o config.pass_client_cert=false: By default, the plugin does not pass the client certificate to the upstream service. Set this to true if you want to pass it.
o config.allowed_client_certificates: You can specify individual client certificate IDs if you want to allow only specific certificates.
Step 3: Test the mTLS Configuration
1. Test with a Valid Client Certificate: Make a request to the service or route using a client certificate signed by the trusted CA.
curl -v https://:/ \
–cert /path/to/client.crt \
–key /path/to/client.key
o If everything is configured correctly, you should receive a successful response.
2. Test with an Invalid or No Client Certificate: Try making a request without a client certificate or with an invalid one.
curl -v https://:/
o You should receive a 401 Unauthorized or 403 Forbidden response, indicating that the client certificate validation failed.
Additional Considerations
• Certificate Renewal: If you update your CA or client certificates, remember to update them in Kong as well.
• Multiple CA Certificates: You can upload multiple CA certificates to Kong and specify them in the config.ca_certificates array when configuring the plugin.
• Error Handling: If you encounter errors, check the Kong logs for detailed messages that can help diagnose issues.
Summary
1. Upload CA Certificate: Use the Admin API to upload the CA certificate.
2. Enable mTLS Plugin: Configure the mtls-auth plugin on your desired service or route, specifying the CA certificate.
3. Test and Verify: Ensure that the setup is correct by testing with valid and invalid client certificates.
By following these steps, you can configure mTLS in Kong to secure your API services, ensuring that only clients with trusted certificates can access them.