Ingress client certificate authenticate requires CA certificate to be stored in secret?
Question
I want to enable client-certificate authentication in my AKS cluster and I have a basic question which I just don't seem to understand. As per the docs , ingress requires the CA certificate to be stored in a secret. My question is: Assuming that I use client-certificates that have been issued by a trusted CA (that's how it works right? CAs issue client-certificates that they sign?), why would a trusted CA give me their CA certificate to be stored in AKS cluster as a secret? Do CAs just hand out their certificates out to public? Isn't that a security issue? (since I can sign client-certificates using that CA certificate)
1 answers
solution1
1 ACCPTED 2021-05-09 18:52:23
The CA certificate .crt file doesn't contain the private key. It only contains the public key + certificate information, which is public and can't be used to sign new certificate. You can safely store the ca.crt in a Kubernetes Secret, it only required the private key for the server certificate.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.