I have nginx-ingress-controlled configured in my RKE2 cluster. One of the deployed applications use Ingress resource with configured client certificate authentication using the following annotations:
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: true
nginx.ingress.kubernetes.io/auth-tls-secret: namespace/trusted-certificates
nginx.ingress.kubernetes.io/auth-tls-verify-client: on
nginx.ingress.kubernetes.io/auth-tls-verify-depth: 3
nginx.ingress.kubernetes.io/backend-protocol: HTTP
I have a client certificate which was issued from the 2-tier PKI hierarchy:
client-cert <-- SubCA <-- RootCA
When I try to use the certificate using the soft PKCS#12 keystore, it works fine, I am authenticated through the Ingress and nginx controller. This is expected behaviour.
However, I need to secure the private key in a more secure way than using the soft keystore. So I tried to use the YubiKey 5C, and just for testing purposes I have uploaded the soft keystore into PIV application to slot 9a, which is used for authentication.
Now I want to authenticate using the YubiKey, I am prompted to select the certificate and provide PIN. But after that I get:
400 Bad Request
The SSL certificate error
nginx
Enabling the debug logging of nginx controller I see the following:
client SSL certificate verify error: (2:unable to get issuer certificate) while reading client request header
It means that the YubiKey does not provide the issuer certificates for the client certificate-based authentication.
I tried to import SubCA and RootCA certificate in to YubiKey slots 82 and 82, however, it does not help, the result is the same.
The only way how I can make it work is to add the complete chain into the secret that is loaded by the Ingress annotation ginx.ingress.kubernetes.io/auth-tls-secret.
But I want to restrict on Ingress level certificate, that are only issued by my SubCA, and not any other SubCA that was issued from the RootCA, therefore I do not want to have RootCA certificate configured as trusted on Ingress. I believe it should be provided by the YubiKey during authentication, in a similar way how it works with the PKCS#12 keystore.
Do you have any experience and advice how this should be properly and in a secure way configured? Is it feasible that the YubiKey will send the complete certificate chain up to the RootCA?
