Support mTLS authentication based on Intermediate CA certificates while preserving per-client certificate controls

Support Administration and Operation
, , ,
1

Hello,

We are currently using Tyk Gateway OSS with the following setup:

  • All of our APIs are protected by mTLS between the client and the gateway.
  • Client access and rate limiting are managed through Dynamic mTLS (the former Certificate Authentication approach, as we are currently using a bit older version of Tyk Gateway).
  • Each client certificate has its own configuration, including individual rate limits and access controls.

This approach works well for a limited number of client certificates, but it becomes difficult to manage when a service has dozens of client certificates associated with it.

We are looking for a way to configure specific APIs/proxies so that they trust an Intermediate CA certificate instead of requiring every client certificate to be registered (imported into Tyk Certificate Storage) individually. At the same time, we need this setup to support certificate revocation using CRL, ideally based on the CRL information provided in the certificate chain.

The desired behavior would be as follows:

  • A client should be allowed to access the API if it presents a certificate signed by a trusted Intermediate CA.
  • The trusted Intermediate CA should be scoped only to a specific API/proxy.
  • We would like to avoid manually managing dozens of client certificates for a single service.
  • We need a mechanism to revoke access centrally, ideally through certificate revocation at the CA or Intermediate CA level, rather than removing client certificates one by one from Tyk Certificate Storage.
  • We need to apply rate limits using the same configuration for all child certificates.
  • Backward compatibility is important for us. Ideally, we would like to support both approaches simultaneously:
    • APIs that continue using individually managed client certificates, which is our current model.
    • APIs that trust certificates issued by a specific Intermediate CA.

Questions:

  1. Is this type of setup currently supported by Tyk Gateway OSS?
  2. Can Tyk validate client certificates against a configured Intermediate CA for specific APIs/proxies?
  3. Is there a recommended approach for handling certificate revocation in such a scenario?
  4. Can individually managed certificate-based access and Intermediate CA-based access coexist within the the same proxy configuration?

We would appreciate any guidance, best practices, or examples from similar implementations.

Thank you.