To generate a Certificate Authority (CA) certificate for Kong Gateway and configure it for mTLS (Mutual TLS), follow these steps. This process involves creating a root CA, generating client certificates, and setting up Kong to use them for mTLS authentication.

Steps Overview:

1. Generate your own Certificate Authority (CA).
2. Use the CA to sign client certificates.
3. Upload the CA certificate to Kong.
4. Configure Kong to enforce mTLS using the CA.
5. Test the mTLS setup.

---

1. Generate a Certificate Authority (CA)

1.1. Generate the CA’s Private Key

openssl genrsa -out ca.key 2048

This command generates a 2048-bit RSA private key for your CA.

1.2. Create a Self-Signed Certificate for the CA

openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt \

-subj “/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=Your-CA-Name”

• This command creates a self-signed certificate valid for 10 years (3650 days).
• Customize the -subj fields with your information.

You now have two files:

• ca.key: The CA’s private key (keep this secure).
• ca.crt: The CA’s self-signed certificate, which you will use to sign client certificates.

---

2. Generate and Sign Client Certificates

2.1. Generate the Client’s Private Key

openssl genrsa -out client.key 2048

2.2. Create a Certificate Signing Request (CSR) for the Client

openssl req -new -key client.key -out client.csr -subj “/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=Client-Name”

2.3. Sign the Client’s Certificate with the CA

openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256

This command signs the client certificate (client.crt) with your CA. The client.crt is valid for 1 year (365 days).

You now have:

• client.key: The client’s private key.
• client.crt: The client’s signed certificate.

---

3. Upload the CA Certificate to Kong

Kong needs the CA certificate to validate the client certificates during mTLS authentication. You can upload the CA certificate to Kong as follows:

curl -i -X POST http://localhost:8001/ca_certificates \

  –data “cert=@/path/to/ca.crt”

This will make Kong aware of the trusted CA certificate, enabling it to validate client certificates that are signed by this CA.

---

4. Enable the mTLS Plugin in Kong

Now, configure Kong to enforce mTLS for a service or route using the mTLS Authentication plugin. This plugin requires clients to present a certificate signed by the CA.

4.1. Enable mTLS for a Service

To enable mTLS authentication on a specific service:

curl -i -X POST http://localhost:8001/services/<service_id>/plugins \

  –data “name=mtls-auth”

Replace <service_id> with the actual service ID.

4.2. Enable mTLS for a Route

Alternatively, you can enable mTLS for a specific route:

curl -i -X POST http://localhost:8001/routes/<route_id>/plugins \

  –data “name=mtls-auth”

By default, the plugin will validate the client certificate against the CA certificate you uploaded in Step 3.

---

5. Configure Trusted Certificate IDs (Optional)

If you have multiple CA certificates, you can specify which ones to trust. You can update the mTLS plugin configuration to use the correct CA certificate ID:

curl -i -X PATCH http://localhost:8001/plugins/<plugin_id&gt; \

  –data “config.trusted_certificate_ids=<ca_certificate_id>”

---

6. Test the mTLS Setup

6.1. Test Using Curl

To test the mTLS setup, make a request to your Kong service or route while providing the client certificate and private key:

curl -v –cert client.crt –key client.key https://<kong-gateway-url>/your-service-or-route

This request should succeed if the client certificate is valid. If the client certificate is invalid or not provided, the request will fail with an error.

---

Summary

1. Generate a Certificate Authority (CA): Use OpenSSL to generate a root CA (ca.key and ca.crt).
2. Create and sign client certificates: Sign client certificates using the CA (client.crt and client.key).
3. Upload the CA certificate to Kong (ca.crt).
4. Enable the mTLS Authentication plugin for services or routes in Kong.
5. Test mTLS by making requests using the client certificates.

By following these steps, Kong Gateway will be configured to enforce mTLS, ensuring that only clients with valid certificates signed by your CA can access your services.