I want to enable client-certificate authentication in my AKS cluster and I have a basic question which I just don't seem to understand. As per the docs, ingress requires the CA certificate to be stored in a secret. My question is: Assuming that I use client-certificates that have been issued by a trusted CA (that's how it works right? CAs issue client-certificates that they sign?), why would a trusted CA give me their CA certificate to be stored in AKS cluster as a secret? Do CAs just hand out their certificates out to public? Isn't that a security issue? (since I can sign client-certificates using that CA certificate)
Asked
Active
Viewed 429 times
1 Answers
1
The CA certificate .crt file doesn't contain the private key. It only contains the public key + certificate information, which is public and can't be used to sign new certificate. You can safely store the ca.crt in a Kubernetes Secret, it only required the private key for the server certificate.
Jean-Philippe Bond
- 10,089
- 3
- 34
- 60
-
Thanks! One thing that's still not clear to me is that if I use a trusted CA, any one (outside my organization) who has client-certificates signed by that CA can still access my AKS cluster. How do I prevent that from happening if I want to use a trusted-CA? – sg1993 May 10 '21 at 15:31
-
Yes, that's why it doesn't really make sense to use a trusted-CA for this feature... If you want to go down that route, you should probably use a private CA. Anyway, it is sometime convenient, but IMO this is not a good way to secure access to a cluster. You better have a private cluster or use something like OAuth 2.0 if it need to be public. – Jean-Philippe Bond May 10 '21 at 17:15