Accept mutualTLS for clients with cert signed by specific CA

From the documentation concerning mutualTLS on it seems that Tyk only supports mTLS for whitelisted client certificates. Is there a possibility to whitelist not the client certificate, but a CA that signed the client certificate instead? This would allow for mutual authentication based on a CA certificate and not require to enter all client certificates on a whitelist in the API definition. If not, is this feature on the roadmap?

Hi Niels,
good to hear from you again and apologies for the delay in answering your question.
Yes, it is possible to whitelist a CA. What you need to do is either whitelist the root or the intermediate certificate. You need to ensure that the client application sends the complete chain.
Hope this helps!

1 Like

Hi Mike,

I have tried to accomplish this using the steps described in where I have whitelisted my root CA certificate. I then make a request using the client certificate (signed by my root CA) and specifying the full chaing (openssl s_client -connect *** -cert client.crt -key client.key -build_chain -CAfile chain.pem), however, I get the following:
“error”: “Certificate with SHA256 d2e998330eee71f1a95500e8db329caf9db379dc14c703d54bd77b047e802824 not allowed”

Using the root certificate/key on the client-side or whitelisting the client certificate does work as expected. Am I missing some configuration somewhere?

Best regards,

Any lessons learned with this? I am running into a similar issue.

This is not currently possible. You can whitelist a root cert for SSL handshakes by installing it manually on the gateways file system and updating the cert store, but not for mTLS.

I believe we have a backlogged ticket to include this functionality in the gateway. We’ll see if we can get an update on that for you.

Edit, the internal ticket is: TT-1570.


Thank you! I will be following any updates!