Secure data transmission through mTLS
In projects with high requirements for secure data transmission, the data transmission based on mTLS for certificate mutual verification can be adopted. mTLS is a process in which the client and server verify each other's identity through the certification authority.TLS is a credit certificate provided by the server. When accessing the server using HTTPS protocol, the client will ask the server for the certificate and authenticate (the browser will match its own credit domain or pop up an unsafe page).mTLS generates two sets of certificates from the same root CA, namely client certificate and server certificate. When the client uses HTTPS to access the server, the two sides will exchange certificates and authenticate. Communication can only be carried out after passing the authentication.
In case of data exchange between two companies, since the two companies are different domain and different CA, in the process of data exchange if both companies are acting as clients or servers, each company needs to generate SSL certificates for each other as servers for mutual authentication, and both CA are recognized by both companies respectively.
When a partner requests Klavi as a client (in this case, Klavi acts as a server), it is necessary to use the certificate provided by Klavi to verify the legitimacy of the client. The reverse is also true.
The data transmission process is as follows:
As you can see from the flowchart above, in the integration with Klavi:
- If the partner exists only as a client and Klavi as a server . In this case, Klavi is required to provide the certificate and the CA key file . Partners do not need to provide the certificate and the CA key file. However, Partners needs to carry the above the certificate and the CA key file when requesting Klavi's API.
- If Klavi exists only as a client and the partner as a server . In the case, Partner is required to provide the certificate and the CA key file, Klavi do not need to provide the certificate and the CA key file. However, Klavi will carry the above the certificate and the key file when requesting the partner's API.
- If both Klavi and the partner exist as client and server, both of them need to provide the certificate and the CA key file as server, and when requesting each other, they need to bring the certificate and the CA key file of each other for authentication by each other.
The above information can also be represented by the following table:
| Client | Server | Certificate Provider |
|---|---|---|---|
Partner | ✔︎ | ✘ | Klavi provide the certificate and the CA key file |
Klavi | ✘ | ✔︎ | Partner provide the certificate and the CA key file |
There are multiple ways to generate a certificate. You can apply for a free or paid certificate through ssl Certificate Authorities(CA). If compliance is not required, you can generate and issue the relevant certificate by yourself through the openssl command, because openssl is more complex, you can also generate and issue the certificate by yourself with other related open source software, like: certstrap .
SSL Certificates are also known as digital certificates. Many cloud service providers works with well-known Certificate Authorities (CA) to allow users to apply for, manage, and deploy free/paid SSL certificates, which enable HTTPS to identify identities and encrypt data for your websites, apps, and web APIs.
After you purchase an SSL certificate via cloud service providers or CA, you can ask CA to sign and issue it through the SSL certificate service console. Once the certificate is issued, you can download and deploy it to your environment(Nginx or application). In this way, your services can transfer data over HTTPS.
The traditional tool for generating self signed certificates is OpenSSL. However, OpenSSL, whether its complex command options or more complex configurations, will make people feel numb. Here is a simpler tool for generating self signed certificates: certstrap. The project address is https://github.com/square/certstrap , Please refer to its documentation for specific installation.
To self sign a certificate, the first step is to generate a self trusted CA authentication certificate.
After the command is completed, a new out directory will be created in the current directory, and the generated certificates will be in this directory.
Create a CSR, that is, a certificate signing request.
After CSR is generated, it is signed by the CA certificate just generated.
In the internal cluster of an enterprise, in order to ensure the security between services, mutual authentication is required for client requests. At this time, the client also needs to provide certificates.
The generation process of the client certificate is similar to that of the server. It is simpler and does not need to provide the IP and domain name information of the certificate.
Whether the generated certificate is correct can be queried through the certifigo tool. Project address:https://github.com/square/certigo. After installation, query the specific information of the certificate through the following command.
You can also use OpenSSL tools to verify and test certificates:
The certificate in PKCS format can be directly clicked and installed into the system certificate cluster to facilitate the use of some applications (browsers, etc.). To generate a PKCS format certificate, use the OpenSSL command as follows:
The abbreviation of certificate may be PEM coding format or der coding format.This format is commonly used for Apache and nginx servers.
Taking Golang as an example, the corresponding tls.config network transport layer settings are required in the server program and client program.The following general packages can be used to facilitate the more rapid implementation of TLS on the C/S side Config generation. Specific project address: https://github.com/x-mod/tlsconfig.
The server starts TLS and the client authentication at the same time:
Client TLS settings:
The above code is a simple TLS at each end of C/S for the setting of config object, the C/S program can be implemented in various ways, such as TCP/HTTP/gRPC.
Http POST example:
JSON with a large volume can be sent in the form of a file: