Accept mutualTLS for clients with cert signed by specific CA

From the documentation concerning mutualTLS on //tyk.io/docs/basic-config-and-security/security/mutual-tls/ it seems that Tyk only supports mTLS for whitelisted client certificates. Is there a possibility to whitelist not the client certificate, but a CA that signed the client certificate instead? This would allow for mutual authentication based on a CA certificate and not require to enter all client certificates on a whitelist in the API definition. If not, is this feature on the roadmap?

Hi Niels,
good to hear from you again and apologies for the delay in answering your question.
Yes, it is possible to whitelist a CA. What you need to do is either whitelist the root or the intermediate certificate. You need to ensure that the client application sends the complete chain.
Hope this helps!
/mike

1 Like

Hi Mike,

I have tried to accomplish this using the steps described in //tyk.io/docs/basic-config-and-security/security/mutual-tls/ where I have whitelisted my root CA certificate. I then make a request using the client certificate (signed by my root CA) and specifying the full chaing (openssl s_client -connect *** -cert client.crt -key client.key -build_chain -CAfile chain.pem), however, I get the following:
“{
“error”: “Certificate with SHA256 d2e998330eee71f1a95500e8db329caf9db379dc14c703d54bd77b047e802824 not allowed”
}”

Using the root certificate/key on the client-side or whitelisting the client certificate does work as expected. Am I missing some configuration somewhere?

Best regards,
Niels

Any lessons learned with this? I am running into a similar issue.

This is not currently possible. You can whitelist a root cert for SSL handshakes by installing it manually on the gateways file system and updating the cert store, but not for mTLS.

I believe we have a backlogged ticket to include this functionality in the gateway. We’ll see if we can get an update on that for you.

Edit, the internal ticket is: TT-1570.

Cheers
Sedky

Thank you! I will be following any updates!

Any news on TT-1570?

@Bogumil_Laska this item is now near the top of our backlog. We will update this thread when we have slotted this piece of work for a release. Thank you.

Hi, it’s been a long wait - but we’re bringing this facility to the next Tyk release in Q3. Thank you for your patience - as you can imagine, we have a very busy and constantly evolving roadmap.

Hello,

In closing an equivalent issue in Github, I realised we didn’t come back and update you here. I’m sorry for the delay. :frowning:

The good news is that in Tyk 5.5.0 we introduced support for you to register Certificate Authority (CA) certificates in your API definitions when using static mutual TLS (mTLS). Take a look at the release notes and linked documentation here.

Thank you for your patience.