Ingress client certificate authenticate requires CA certificate to be stored in secret?



  • I want to enable client-certificate authentication in my AKS cluster and I have a basic question which I just don't seem to understand. As per the docs, ingress requires the CA certificate to be stored in a secret. My question is: Assuming that I use client-certificates that have been issued by a trusted CA (that's how it works right? CAs issue client-certificates that they sign?), why would a trusted CA give me their CA certificate to be stored in AKS cluster as a secret? Do CAs just hand out their certificates out to public? Isn't that a security issue? (since I can sign client-certificates using that CA certificate)



  • In the context of X.509, which is used in TLS, we usually use the term “certificate” to refer to a structure which contains, along with identifying information, a public key. Since this key is public and the certificate is generally available to anyone on the Internet, there's no risk in providing it. It probably needs to exist in a secret store only because it's a convenient place to load it from, not because it's actually secret.

    What you're probably thinking of is the private key corresponding to the public key in the certificate, which you of course won't be able to access. Publicly trusted CAs usually store the private key in a hardware security module, so even the people running the CA probably can't access it (only use it to sign things).



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2