For JWT plugins in Kong, client certificates are not typically required as part of the JWT validation process. However, let’s clarify based on potential misunderstandings:
✅ JWT Plugin Basics (No client certs needed)
- JWT authentication in Kong works by verifying the JWT signature using either a shared secret (HS256) or a public key (RS256/ES256).
- Kong does not require client certificates unless you are adding mutual TLS (mTLS) as an extra layer.
🔐 When Client Certificates Are Required
If you’re also enabling mTLS authentication using plugins like mtls-auth, or using Kong in a setup where TLS client auth is enforced at the proxy level, then:
- Yes, you will typically use different client certificates per environment (dev/uat/prod) for security isolation and credential scoping.
- This ensures:
- Compromise in
devdoesn’t impactprod. - You can rotate/test certs independently.
- Compromise in
💡 Best Practice (if mTLS is involved)
| Environment | Client Cert | Notes |
|---|---|---|
| Dev | client-dev.crt | Lower trust level, used for testing |
| UAT | client-uat.crt | For staging/pre-prod |
| Prod | client-prod.crt | Strict security, strong validation policies |
🎯 Summary
- 🔸 For JWT plugin alone: No client certs are needed.
- 🔸 If you combine with mTLS: Yes, use separate client certs per environment.
- 🔒 Always store keys securely and rotate them periodically.
Infra Cloud Solutions 