Revoking SSL certificate in Mutual TLS authentication

Question

I am trying to enable Mutual TLS based authentication for an application deployed in a Kubernetes cluster.

Use cases:

1. Want to restrict access to our application to only those users with trusted client cert.
2. Based on certain situations/conditions, I would also want to revoke the certificate of a specific user so that the user is no longer able to access the application with his/her certificate.

I tried setting up Mutual TLS at kuberentes ingress controller (nginx based), by adding the following annotations.

    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    nginx.ingress.kubernetes.io/auth-tls-secret: "ca-cert"

ca-cert is the kubernetes secret containing the CA certificate used to issue client certs. In this way ingress validates the client certificate sent as part of the request against ca-cert .

This works very well for any client certs signed by ca-cert . I am trying to come up with solution for certificate revocation process. Need advice on this.

Is it possible to trust individual client cert instead of a CA Cert in ingress? This will help us revoke individual client certs.

Answer 1

If I understand you correctly you need to use Nginx Certificate Revocation List. It should be done by using standard Nginx configuration (create in standard format, add to file, update the file from Ingress). Here are more details / tutorials regarding this.

Please let me know if that helped.