Accept mutualTLS for clients with cert signed by specific CA

From the documentation concerning mutualTLS on https://tyk.io/docs/security/tls-and-ssl/mutual-tls/ it seems that Tyk only supports mTLS for whitelisted client certificates. Is there a possibility to whitelist not the client certificate, but a CA that signed the client certificate instead? This would allow for mutual authentication based on a CA certificate and not require to enter all client certificates on a whitelist in the API definition. If not, is this feature on the roadmap?

Hi Niels,
good to hear from you again and apologies for the delay in answering your question.
Yes, it is possible to whitelist a CA. What you need to do is either whitelist the root or the intermediate certificate. You need to ensure that the client application sends the complete chain.
Hope this helps!
/mike

1 Like

Hi Mike,

I have tried to accomplish this using the steps described in https://tyk.io/docs/security/tls-and-ssl/mutual-tls/#a-name-authorisation-a-authorisation where I have whitelisted my root CA certificate. I then make a request using the client certificate (signed by my root CA) and specifying the full chaing (openssl s_client -connect *** -cert client.crt -key client.key -build_chain -CAfile chain.pem), however, I get the following:
“{
“error”: “Certificate with SHA256 d2e998330eee71f1a95500e8db329caf9db379dc14c703d54bd77b047e802824 not allowed”
}”

Using the root certificate/key on the client-side or whitelisting the client certificate does work as expected. Am I missing some configuration somewhere?

Best regards,
Niels