1

I'm using mTLS with Google Cloud for a load balancer. I have defined a TrustAnchor defining my supported root CAs. The expectation would be that a certificate_authorities extension is included in the certificate_request_context extensions to inform the client which CAs are supported so that the client can use a correct key and certificate signed by this CA. But GC is not including this. Is there a flag or option how to enforce this?

Since the client is supporting multiple servers the client is using this for the certificate lookup, i.e. a fixed selection and presentation of the client certificate does not work.

k_o_
  • 5,143
  • 1
  • 34
  • 43
  • AFAIK. Google Cloud's load balancers do not support customizing the certificate_authorities extension in the certificate_request_context for mTLS. Since clients have multiple servers, I'm afraid you can't do a fixed selection and presentation on your client certificate. I believe an alternative approach should be considered.
     – Yvan G. Jul 27 '23 at 18:58
  • 1
    AFAIK @YvanG. is correct. I have done a lot of work on configuring and testing mTLS with Google load balancers. The end result is that mTLS works very well but I expect there will be more features in the future. Consider creating a feature request [link](https://cloud.google.com/support/docs/issue-trackers) and sharing your requirement. – John Hanley Jul 27 '23 at 21:00

1 Answers1

2

Posting my comment as an answer. Please also consider what @JohnHanley mentioned regarding feature request

AFAIK. Google Cloud's load balancers do not support customizing the certificate_authorities extension in the certificate_request_context for mTLS. Since clients have multiple servers, I'm afraid you can't do a fixed selection and presentation on your client certificate. I believe an alternative approach should be considered.

Yvan G.
  • 753
  • 1
  • 8