Closed nickrmc83 closed 4 years ago
stefanhenseler
commented
4 years ago @cfryanr I'm wondering what the value must be for this option? Do I actually have to put the pem cert in there? I've tried the cacert fingerprint and the issuer name, but with no success.
cfryanr
commented
4 years ago @stefanhenseler The pem formatted CA cert. Here's an (abbreviated) example from a configmap. Note that \n is newlines in json strings.
"trusted_certificate_authority": "-----BEGIN CERTIFICATE-----\nMIIE4jCCAsqgAwIBAgIBATANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDEwZzZm8t\nY2EwHhcNMTkxMjIwMDAxNjI1WhcNMjEwNjIwMDAxNjIxWjARMQ8wDQYDVQQDEwZz\n...\nwPAYZhormzV5LxXMSd3BMdyexNvNiGffULhnYEebFI9GouFxV1LPdVu058LRW/db\n6PDm7+GEq/CcQhTgYOELmmcnC89zNxcCXiahxqKIMTuid295N4NldyK/IT4Tn4GN\nVknTT/Hr\n-----END CERTIFICATE-----"
stefanhenseler
commented
4 years ago Thanks! that worked.
Currently any internal IdP whose TLS certificate is not signed by a well-known authority or some delegation thereof will stop working once we start verifying peers correctly. We should make sure it is possible to specify an optional CA certificate for verifying IdP endpoints.