certificates/autocert/examples/hello-mtls/README.md

2.8 KiB

hello-mtls

This repository contains examples of dockerized [m]TLS clients and servers in various languages. There's a lot of confusion and misinformation regarding how to do mTLS properly with an internal public key infrastructure. The goal of this repository is to demonstrate best practices like:

  • Properly configuring TLS to use your internal CA's root certificate
  • mTLS (client certificates / client authentication)
  • Short-lived certificate support (clients and servers automatically load renewed certificates)

Examples use multi-stage docker builds and can be built via without any required local dependencies (except docker):

docker build -f Dockerfile.server -t hello-mtls-server-<lang> .
docker build -f Dockerfile.client -t hello-mtls-client-<lang> .

Once built, you should be able to deploy via:

kubectl apply -f hello-mtls.server.yaml
kubectl apply -f hello-mtls.client.yaml

Feature matrix

This matrix shows the set of features we'd like to demonstrate in each language and where each language is. Bug fixes, improvements, and examples in new languages are appreciated!

go/

  • Server using autocert certificate & key
    • mTLS (client authentication using internal root certificate)
    • Automatic certificate renewal
    • Restrict to safe ciphersuites and TLS versions
    • TLS stack configuration loaded from step-ca
    • Root certificate rotation
  • Client using autocert root certificate
    • mTLS (send client certificate if server asks for it)
    • Automatic certificate rotation
    • Restrict to safe ciphersuites and TLS versions
    • TLS stack configuration loaded from step-ca
    • Root certificate rotation

curl/

  • Client
    • mTLS (send client certificate if server asks for it)
    • Automatic certificate rotation
    • Restrict to safe ciphersuites and TLS versions
    • TLS stack configuration loaded from step-ca
    • Root certificate rotation

nginx/

  • Server
    • mTLS (client authentication using internal root certificate)
    • Automatic certificate renewal
    • Restrict to safe ciphersuites and TLS versions
    • TLS stack configuration loaded from step-ca
    • Root certificate rotation

node/

  • Server
    • mTLS (client authentication using internal root certificate)
    • Automatic certificate renewal
    • Restrict to safe ciphersuites and TLS versions
    • TLS stack configuration loaded from step-ca
    • Root certificate rotation
  • Client using autocert root certificate
    • mTLS (send client certificate if server asks for it)
    • Automatic certificate rotation
    • Restrict to safe ciphersuites and TLS versions
    • TLS stack configuration loaded from step-ca
    • Root certificate rotation