tyk
tyk copied to clipboard
TykTechnologies
Tyk cannot validate client certificates against a certificate authority
Branch/Environment/Version
- Version: v.5.3.0
- Environment: On-Prem self-managed
Describe the bug When using Mutual TLS authentication in Tyk, it is not possible to upload a Certificate Authority (CA) certificate in the API definition and make Tyk check if the presented client certificate was issued by said CA. Tyk is only able to compare the Hash of the presented certificate against the hashes of all certificates allow-listed in the API definition.
This behavior severely limits the usability of Tyks mTLS authentication method because it is often times not possible or practical to allow-list every issued certificate that should have access to an API. At @paymenttools we're currently using a custom Go authentication plugin to work around this issue, but it would be great if Tyk would properly support CA chain validation in mTLS
Reproduction steps Steps to reproduce the behavior:
- Generate your own self-signed CA and a client certificate.
- Create an API using mTLS and upload the CA certificate
- Try to use the client certificate to authenticate at the API
Actual behavior The client certificate is not allowed to access the API since it's hash does not match the hash of the uploaded CA certificate
Expected behavior The client certificate was granted access because it could be validated against the uploaded CA certificate.
this may help you: https://tyk.io/docs/basic-config-and-security/security/tls-and-ssl/#self-signed-certs
Hello @357734432, thank you for the link. I am not sure how it is relevant for this issue though? Could you elaborate please
Hello @JanMa,
In Tyk 5.5 we introduced support for you to register Certificate Authority (CA) certificates in your API definitions when using static mutual TLS (mTLS). Take a look at the release notes and linked documentation here.
I hope this resolves your issue and allows you to continue on your Tyk journey.
