</code></pre></div><p>Note: If using CA Authentication, described below, you will need to sign the server certificate with the CA.</p><h2id=client-certificate-authentication>Client Certificate Authentication<aclass=headerlinkhref=#client-certificate-authenticationtitle="Permanent link"> ¶</a></h2><p>CA Authentication also known as Mutual Authentication allows both the server and client to verify each others identity via a common CA.</p><p>We have a CA Certificate which we usually obtain from a Certificate Authority and use that to sign both our server certificate and client certificate. Then every time we want to access our backend, we must pass the client certificate.</p><p>These instructions are based on the following <ahref=https://medium.com/@awkwardferny/configuring-certificate-based-mutual-authentication-with-kubernetes-ingress-nginx-20e7e38fdfca>blog</a></p><p><strong>Generate the CA Key and Certificate:</strong></p><divclass=highlight><pre><span></span><code><spanclass=go>openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 356 -nodes -subj '/CN=My Cert Authority'</span>
</code></pre></div><p><strong>Generate the Server Key, and Certificate and Sign with the CA Certificate:</strong></p><divclass=highlight><pre><span></span><code><spanclass=go>openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=mydomain.com'</span>
</code></pre></div><p><strong>Generate the Client Key, and Certificate and Sign with the CA Certificate:</strong></p><divclass=highlight><pre><span></span><code><spanclass=go>openssl req -new -newkey rsa:4096 -keyout client.key -out client.csr -nodes -subj '/CN=My Client'</span>
</code></pre></div><p>Once this is complete you can continue to follow the instructions <ahref=../auth/client-certs/#creating-certificate-secrets>here</a></p><h2id=test-http-service>Test HTTP Service<aclass=headerlinkhref=#test-http-servicetitle="Permanent link"> ¶</a></h2><p>All examples that require a test HTTP Service use the standard http-svc pod, which you can deploy as follows</p><divclass=highlight><pre><span></span><code><spanclass=gp>$ </span>kubectl<spanclass=w></span>create<spanclass=w></span>-f<spanclass=w></span>https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/docs/examples/http-svc.yaml
</code></pre></div><p>You can test that the HTTP Service works by exposing it temporarily</p><divclass=highlight><pre><span></span><code><spanclass=gp>$ </span>kubectl<spanclass=w></span>patch<spanclass=w></span>svc<spanclass=w></span>http-svc<spanclass=w></span>-p<spanclass=w></span><spanclass=s1>'{"spec":{"type": "LoadBalancer"}}'</span>
</code></pre></div></article></div></div></main><footerclass=md-footer><divclass="md-footer-meta md-typeset"><divclass="md-footer-meta__inner md-grid"><divclass=md-copyright> Made with <ahref=https://squidfunk.github.io/mkdocs-material/target=_blankrel=noopener> Material for MkDocs </a></div></div></div></footer></div><divclass=md-dialogdata-md-component=dialog><divclass="md-dialog__inner md-typeset"></div></div><scriptid=__configtype=application/json>{"base":"../..","features":["navigation.tabs","navigation.tabs.sticky","navigation.instant","navigation.sections"],"search":"../../assets/javascripts/workers/search.f886a092.min.js","translations":{"clipboard.copied":"Copied to clipboard","clipboard.copy":"Copy to clipboard","search.result.more.one":"1 more on this page","search.result.more.other":"# more on this page","search.result.none":"No matching documents","search.result.one":"1 matching document","search.result.other":"# matching documents","search.result.placeholder":"Type to start searching","search.result.term.missing":"Missing","select.version":"Select version"}}</script><scriptsrc=../../assets/javascripts/bundle.aecac24b.min.js></script></body></html>
