I want to enable client-certificate authentication in my AKS cluster and I have a basic question which I just don't seem to understand. As per the docs, ingress requires the CA certificate to be stored in a secret. My question is: Assuming that I use client-certificates that have been issued by a trusted CA (that's how it works right? CAs issue client-certificates that they sign?), why would a trusted CA give me their CA certificate to be stored in AKS cluster as a secret? Do CAs just hand out their certificates out to public? Isn't that a security issue? (since I can sign client-certificates using that CA certificate)
Ingress client certificate authenticate requires CA certificate to be stored in secret?
550 Views Asked by sg1993 At
1
There are 1 best solutions below
Related Questions in KUBERNETES-INGRESS
- Global static IP name on NGINX Ingress
- Nginx Controller upgrade is failing on Kubernetes 1.16.10 cluster
- write ingress rule for application running with context-root
- How to remove the server header from Kubernetes deployed applications
- Back-off restarting failed container kubernetes
- Stickiness not working on request header for Ambassador in Kubernetes
- Get error "unknown field "serviceName" in io.k8s.api.networking.v1.IngressBackend" when switch from v1beta1 to v1 in Kubernetes Ingress
- Minikube Ingress (Nginx Controller) not working
- How to setup Kubernetes NLB Load Balancer with target group "IP" based [AWS]?
- Ingress for TCP ports, is it possible to route to different services using the same port number in a similar way NGINX routes for http ports?
- Ingress controller gives "Service does not have any active Endpoint" only when app deployed in different namespace from ingress controller
- ingress always showing default backend - 404
- Multiple services on same url in kubernetes
- Kubernetes Route to Service using Ingress hostname | Keycloak
- Configure two environment for kubernetes within Azure
Related Questions in AZURE-AKS
- Azure Release Pipeline: Docker Image Tag will not be replaced even after adding step to replace image tag
- Increase max file upload size in K8s Cluster deployed with Azure (Project in ASP.NET Core w/ C# and React)
- Does Kubernetes create an external load balancer for every LoadBalancer service, or does it just reuse the same one?
- Azure kubernetes - writing logs on the console for production application?
- AKS : Kubernetes coreDNS fails to resolve headless services
- Azure ML - AKS Service deployment unable to handle concurrent requests despite auto scaling enabled
- AKS: MongoError: not master
- AKS Cluster Created has no External IP Address
- Avoid recreation of Kubernetes cluster when upgrading web api
- Azure kubernetes - register services in Azure API management?
- Azure kubernetes and Azure API management : Azure AD authentication?
- Cannot access file inside Kubernetes cluster that has load balancer externally
- How do I measure my pods startup, min and max CPU and Memory
- What is the node hardware requirements and kubernetes nginx ingress configuration required processing large files (3gb) in AKS cluster?
- Azure AKS: Kubernetes pod keeps showing CrashLoopBackOff status after assigning static IP
Related Questions in CLIENT-CERTIFICATES
- Client Certificate Web Service Call
- Using client certificate with Apache Axis 1
- IIS 7 becomes unaccessible if client certificates are set to 'Accept' or 'Require'
- Client Certificate Details Missing from PHP $_SERVER Variable
- How to understand the difference between Windows/.NET and Linux/Mono with a .NET WebRequest and a PFX certificate?
- authentication between mainframe system and .net web service
- equivalent customHTTPProtocol in xamarin
- C# code to use client certificates
- Qt5 client certificate authentication
- Digitally Sign Document with PHP
- Decrypt SSL no client certificate in Wireshark Tutorial
- Configure JAX-WS web-service over HTTPS in WAS at application level
- NGINX says "client sent no required SSL certificate while reading client request headers" how do we troubleshoot?
- iOS - SSL Handshake - Client Certificate - NSURLSession - NSURLErrorDomain Code=-1200 - Wrong chain
- How to create users/groups restricted to namespace in Kubernetes using RBAC API?
Related Questions in CA
- https post request using httpClient and cert.em
- Use .p12 to create CA?
- Dynamically create SSL certs/keys with common CA
- How do I make MS Enterprise Certificate Authority actually use a custom template?
- CRL Verification in Java
- Multiple intermediate CA servers sharing index.txt cert file
- php CURL CA Error
- Install Self-Signed CA Certificate to Azure
- I need the connection string for CA ERWIN Data modeler
- what is the connection string for forward engineering into oracle databases with CA erwin
- Rally SOAPUI POST Queries
- For Server validation using a trusted CA, will the ca-public key that was used to sign the server certificate be provided back to the server?
- ASP.NET Performance %Time in GC Even when application is idle
- Https two-way authentication with server using a public signed cert, but client using a private CA
- OpenSSL - Sign the certificate with own CA
Related Questions in CACERTS
- Importing certificate from site using Ansible java_cert
- Whatsapp Business API Registration - Acquire certificate from whatsapp buiness manager
- Can we export certificates from JRE's "cacerts" file and import it to higher JRE version?
- How to install a self signed CA certificate programmatically on Android
- Elastic Search returning null after some time
- Set custom trust store using JDK11
- How can I "diff" two cacerts files?
- Procedure to create a certificate chain recognized by java
- Custom DNS record and SSL certificate in docker container
- How can I specify a cacerts file in gradle jibDockerBuild?
- Execute CURL command with CA CERT file in JAVA
- Ingress client certificate authenticate requires CA certificate to be stored in secret?
- How to get Node.Js to allow me to provide client cert with smart card/cac
- Pentaho Kettle | Connect to HTTPS Repository (with cacerts file)
- How to handle security certificate expired scenario in the REST call?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
The CA certificate
.crtfile doesn't contain the private key. It only contains the public key + certificate information, which is public and can't be used to sign new certificate. You can safely store theca.crtin a Kubernetes Secret, it only required the private key for the server certificate.