Support mTLS authentication based on Intermediate CA certificates while preserving per-client certificate controls

Hello,

We are currently using Tyk Gateway OSS with the following setup:

  • All of our APIs are protected by mTLS between the client and the gateway.
  • Client access and rate limiting are managed through Dynamic mTLS (the former Certificate Authentication approach, as we are currently using a bit older version of Tyk Gateway).
  • Each client certificate has its own configuration, including individual rate limits and access controls.

This approach works well for a limited number of client certificates, but it becomes difficult to manage when a service has dozens of client certificates associated with it.

We are looking for a way to configure specific APIs/proxies so that they trust an Intermediate CA certificate instead of requiring every client certificate to be registered (imported into Tyk Certificate Storage) individually. At the same time, we need this setup to support certificate revocation using CRL, ideally based on the CRL information provided in the certificate chain.

The desired behavior would be as follows:

  • A client should be allowed to access the API if it presents a certificate signed by a trusted Intermediate CA.
  • The trusted Intermediate CA should be scoped only to a specific API/proxy.
  • We would like to avoid manually managing dozens of client certificates for a single service.
  • We need a mechanism to revoke access centrally, ideally through certificate revocation at the CA or Intermediate CA level, rather than removing client certificates one by one from Tyk Certificate Storage.
  • We need to apply rate limits using the same configuration for all child certificates.
  • Backward compatibility is important for us. Ideally, we would like to support both approaches simultaneously:
    • APIs that continue using individually managed client certificates, which is our current model.
    • APIs that trust certificates issued by a specific Intermediate CA.

Questions:

  1. Is this type of setup currently supported by Tyk Gateway OSS?
  2. Can Tyk validate client certificates against a configured Intermediate CA for specific APIs/proxies?
  3. Is there a recommended approach for handling certificate revocation in such a scenario?
  4. Can individually managed certificate-based access and Intermediate CA-based access coexist within the the same proxy configuration?

We would appreciate any guidance, best practices, or examples from similar implementations.

Thank you.

Hello,

Apologies for the late response. To answer your questions

1. Is this type of setup currently supported by Tyk Gateway OSS?
Tyk natively supports validating client certificates against an Intermediate CA scoped to specific APIs. However, it does not natively support Certificate Revocation Lists (CRL) or mapping all child certificates of a CA to a single shared rate limit without registering each leaf certificate. To achieve your exact desired behavior, you may need to implement a Custom Authentication Plugin.

2. Can Tyk validate client certificates against a configured Intermediate CA for specific APIs/proxies?
Yes. With static mTLS, you can upload the CA certificate to the Tyk Certificate Store and add its ID to the API’s client_certificates list with use_mutual_tls_auth set to true. Any client certificate signed by that CA will be accepted, so you don’t need to upload or register each client certificate individually. The client should present the full certificate chain during authentication.

3. Is there a recommended approach for handling certificate revocation in such a scenario?
Currently the Gateway does not natively implement CRL or OCSP revocation checks to verify whether a client certificate has been revoked. However you may perform the revocation checks at a load balancer or reverse proxy before the request reaches Tyk, or implement a custom authentication plugin that validates the client certificate against a CRL or OCSP service during authentication.

4. Can individually managed certificate-based access and Intermediate CA-based access coexist within the same proxy configuration?
They are not designed to be combined on the same API. Certificate Authentication requires each client certificate to be registered individually, while static mTLS accepts any certificate signed by a trusted CA. Because these are different authentication methods, they cannot be used together on the same API. However, you can use them on separate APIs. For example, your existing APIs can continue using Certificate Authentication, while new APIs use static mTLS. Supporting both methods on the same API would require a custom authentication plugin.

Do let us know if this helps.

Regards