To verify mTLS (Mutual TLS) client certificates in Kong API Gateway using curl, you will need to have:
- A valid client certificate and key that the server can verify.
- The server’s CA certificate to trust the server’s certificate.
Here’s a step-by-step guide to verify the mTLS setup using curl:
1. Ensure mTLS is enabled in Kong
Make sure that the mTLS authentication plugin is enabled on the route, service, or globally in your Kong instance. For example, you can check if the mtls-auth plugin is applied:
curl http://localhost:8001/plugins
If it’s not enabled, you can add the mTLS plugin to a specific route or service:
curl -i -X POST http://localhost:8001/services/{service-id}/plugins \
–data “name=mtls-auth”
2. Ensure the Client Certificate is Associated with a Consumer
To match the client certificate with a consumer in Kong, you need to associate the Common Name (CN) or Subject Alternative Name (SAN) in the certificate with a consumer.
curl -i -X POST http://localhost:8001/consumers/{consumer-id}/mtls_auth \
–data “subject_name=client.example.com”
This ensures that when the client presents the certificate, Kong will map the request to the correct consumer based on the CN.
3. Verify mTLS using curl
To perform mTLS using curl, you will need:
- The client certificate and client key.
- The CA certificate that Kong uses to verify the client certificate.
Use the following curl command to verify mTLS:
bash
Copy code
curl -v https://{KONG_HOST}:{KONG_PORT}/{route-path} \
–cert /path/to/client-cert.pem \
–key /path/to/client-key.pem \
–cacert /path/to/ca-cert.pem
- –cert /path/to/client-cert.pem: Path to the client certificate file.
- –key /path/to/client-key.pem: Path to the client private key file.
- –cacert /path/to/ca-cert.pem: Path to the CA certificate that Kong uses to verify the client certificate.
- -v: Verbose output to see the handshake details.
4. Example Command
For example, if Kong is running on localhost, the route is /secure-service, and you have the client certificate and key:
curl -v https://localhost:8443/secure-service \
–cert /etc/ssl/client-cert.pem \
–key /etc/ssl/client-key.pem \
–cacert /etc/ssl/ca-cert.pem
5. Check the Response
- If the client certificate is valid and trusted, Kong will allow the request, and you will see a 200 OK response (or the relevant service response).
- If the certificate validation fails, you may see errors like:
- 400 Bad Request: Indicates issues with the certificate verification.
- 403 Forbidden: Indicates the certificate was valid but the client was not authorized for the route.
6. Common Errors and Troubleshooting
- 400 Bad Request: SSL certificate validation failed: This usually happens when the client certificate is not signed by the trusted CA or doesn’t match the subject name expected by Kong.
- 403 Forbidden: mTLS authentication failed: This happens if the certificate’s CN or SAN does not match any configured consumers in Kong.
Conclusion
Verifying mTLS in Kong API Gateway via curl involves ensuring that the client certificate and key are properly configured and Kong is set up to validate them. If configured correctly, Kong will authenticate the client using the certificate, and the request will proceed.