Tyk cannot validate client certificates against a certificate authority

[JanMa]

Branch/Environment/Version

• Version: v.5.3.0
• Environment: On-Prem self-managed

Describe the bug When using Mutual TLS authentication in Tyk, it is not possible to upload a Certificate Authority (CA) certificate in the API definition and make Tyk check if the presented client certificate was issued by said CA. Tyk is only able to compare the Hash of the presented certificate against the hashes of all certificates allow-listed in the API definition.

This behavior severely limits the usability of Tyks mTLS authentication method because it is often times not possible or practical to allow-list every issued certificate that should have access to an API. At @paymenttools we're currently using a custom Go authentication plugin to work around this issue, but it would be great if Tyk would properly support CA chain validation in mTLS

Reproduction steps Steps to reproduce the behavior:

1. Generate your own self-signed CA and a client certificate.
2. Create an API using mTLS and upload the CA certificate
3. Try to use the client certificate to authenticate at the API

Actual behavior The client certificate is not allowed to access the API since it's hash does not match the hash of the uploaded CA certificate

Expected behavior The client certificate was granted access because it could be validated against the uploaded CA certificate.

[357734432]

this may help you: https://tyk.io/docs/basic-config-and-security/security/tls-and-ssl/#self-signed-certs

[JanMa]

Hello @357734432, thank you for the link. I am not sure how it is relevant for this issue though? Could you elaborate please