AnsweredAssumed Answered

Validation of certificate path without importing all intermediates into GW

Question asked by stephen-s.lynch on Feb 22, 2018

Hi I have a question that is somewhat similar to that of SefanKlotz on 6 Feb 18 but it is from the perspective of a client using mutual TLS auth to the gateway.

 

We want to set up this mutual auth so that client certificates from multiple intermediates (multiple children of the root certificate) are trusted and can be checked by federated identity provider. It seems to me that we are obliged to import all of these intermediates which is painful since they are quite ephemeral in nature. Our engineers are proposing to stick apache in front of the gateway to get the behaviour we desire. Reason being that Apache's behaviour is more intuitive and in line with how lots of mTLS clients work.

 

If a client receives a ServerHello with a certificate request in it then it looks to find a path to root:

 

Client    <-- ServerHello { CertRequest (R1) } -- Server

 

It will select (maybe with help of the user) a child certificate  of R1, if it has one, and respond with a proof that it possesses the private key. In the response it send the path to R1.

 

Client -- ClientKeyExchage { certResponse (proof-of-possession, <<CertPathToR1>>) } --> Server

 

In this way intermediates can change all the time without the server having to specifically trust them. It can trust the root and validate the path as presented by the client. All browsers do this. 

 

Am I missing some bit of configuration in  the gateway because at first sight it does not seem possible to make it operate this way?

 

Cheers

- Steve

Outcomes