Secure data transmission through mTLS

1 mtls brief introduction in projects with high requirements for secure data transmission, the data transmission based on mtls for certificate mutual verification can be adopted mtls is a process in which the client and server verify each other's identity through the certification authority tls is a credit certificate provided by the server when accessing the server using https protocol, the client will ask the server for the certificate and authenticate (the browser will match its own credit domain or pop up an unsafe page) mtls generates two sets of certificates from the same root ca, namely client certificate and server certificate when the client uses https to access the server, the two sides will exchange certificates and authenticate communication can only be carried out after passing the authentication in case of data exchange between two companies, since the two companies are different domain and different ca, in the process of data exchange if both companies are acting as clients or servers, each company needs to generate ssl certificates for each other as servers for mutual authentication, and both ca are recognized by both companies respectively 2 partner and klavi integration via mtls when a partner requests klavi as a client (in this case, klavi acts as a server), it is necessary to use the certificate provided by klavi to verify the legitimacy of the client the reverse is also true the data transmission process is as follows as you can see from the flowchart above, in the integration with klavi if the partner exists only as a client and klavi as a server in this case, klavi is required to provide the certificate and the ca key file partners do not need to provide the certificate and the ca key file however, partners needs to carry the above the certificate and the ca key file when requesting klavi's api if klavi exists only as a client and the partner as a server in the case, partner is required to provide the certificate and the ca key file , klavi do not need to provide the certificate and the ca key file however, klavi will carry the above the certificate and the key file when requesting the partner's api if both klavi and the partner exist as client and server , both of them need to provide the certificate and the ca key file as server, and when requesting each other, they need to bring the certificate and the ca key file of each other for authentication by each other the above information can also be represented by the following table client server certificate provider partner ✔︎ ✘ klavi provide the certificate and the ca key file klavi ✘ ✔︎ partner provide the certificate and the ca key file 3 generate certificates there are multiple ways to generate a certificate you can apply for a free or paid certificate through ssl certificate authorities(ca) if compliance is not required, you can generate and issue the relevant certificate by yourself through the openssl command, because openssl is more complex, you can also generate and issue the certificate by yourself with other related open source software, like certstrap 3 1 generate certificates from certificate authority(ca) ssl certificates are also known as digital certificates many cloud service providers works with well known certificate authorities (ca) to allow users to apply for, manage, and deploy free/paid ssl certificates, which enable https to identify identities and encrypt data for your websites, apps, and web apis after you purchase an ssl certificate via cloud service providers or ca, you can ask ca to sign and issue it through the ssl certificate service console once the certificate is issued, you can download and deploy it to your environment(nginx or application) in this way, your services can transfer data over https 3 2 quickly generate self signed certificates the traditional tool for generating self signed certificates is openssl however, openssl, whether its complex command options or more complex configurations, will make people feel numb here is a simpler tool for generating self signed certificates certstrap the project address is https //github com/square/certstrap https //github com/square/certstrap , please refer to its documentation for specific installation 3 2 1 ca certificate to self sign a certificate, the first step is to generate a self trusted ca authentication certificate bash $ certstrap init common name "exampleca" expires "20 years" after the command is completed, a new out directory will be created in the current directory, and the generated certificates will be in this directory bash $tree out out ├── exampleca crl ├── exampleca crt └── exampleca key 3 2 2 server certificate create a csr, that is, a certificate signing request bash $ certstrap request cert cn server ip 127 0 0 1 domain " example com" enter passphrase (empty for no passphrase) enter same passphrase again created out/server key created out/server csr after csr is generated, it is signed by the ca certificate just generated bash $ certstrap sign server ca exampleca enter passphrase for ca key (empty for no passphrase) created out/server crt from out/server csr signed by out/exampleca key 3 2 3 client certificate in the internal cluster of an enterprise, in order to ensure the security between services, mutual authentication is required for client requests at this time, the client also needs to provide certificates the generation process of the client certificate is similar to that of the server it is simpler and does not need to provide the ip and domain name information of the certificate bash $ certstrap request cert cn client $ certstrap sign client ca ca 3 2 4 view certificate whether the generated certificate is correct can be queried through the certifigo tool project address https //github com/square/certigo https //github com/square/certigo after installation, query the specific information of the certificate through the following command bash $ certigo dump out/server crt certificate 1 valid 2019 08 26 09 34 utc to 2021 08 26 09 34 utc subject 	cn=server issuer 	cn=exampleca dns names 	 example com ip addresses 	127 0 0 1 you can also use openssl tools to verify and test certificates bash $ openssl verify cafile out/exampleca crt out/server crt $ openssl verify cafile out/exampleca crt out/client crt 3 2 5 pkcs format certificate the certificate in pkcs format can be directly clicked and installed into the system certificate cluster to facilitate the use of some applications (browsers, etc ) to generate a pkcs format certificate, use the openssl command as follows bash $ openssl pkcs12 export out client p12 inkey out/client key in out/client crt certfile out/exampleca crt 3 2 6 format conversion the abbreviation of certificate may be pem coding format or der coding format this format is commonly used for apache and nginx servers bash $ openssl x509 in out/client crt out out/client pem outform pe 4 mutual tls authentication examples 4 1 golang example taking golang as an example, the corresponding tls config network transport layer settings are required in the server program and client program the following general packages can be used to facilitate the more rapid implementation of tls on the c/s side config generation specific project address https //github com/x mod/tlsconfig https //github com/x mod/tlsconfig 4 1 1 mtls server settings the server starts tls and the client authentication at the same time import "github com/x mod/tlsconfig" cf = tlsconfig new( // server tls certificate tlsconfig certkeypair("out/server crt", "out/server key"), // client tls ca certificate tlsconfig clientca("out/exampleca crt"), // verify client certificate tlsconfig clientauthverified(), ) 4 1 2 mtls client settings client tls settings import "github com/x mod/tlsconfig" cf = tlsconfig new( // server tls ca certificate tlsconfig ca("out/exampleca crt"), // client tls certificate tlsconfig certkeypair("out/client crt", "out/client key"), ) the above code is a simple tls at each end of c/s for the setting of config object, the c/s program can be implemented in various ways, such as tcp/http/grpc 4 2 command line examples http post example： curl v x post cacert out/exampleca crt cert out/server cert crt key out/server key crt \\ https //example com/callback \\ h 'content type application/json;charset=utf 8' \\ d '{"foo" "bar"}' json with a large volume can be sent in the form of a file curl v x post cacert out/exampleca crt cert out/server cert crt key out/server key crt \\ https //example com/callback \\ h 'content type application/json;charset=utf 8' d @test json