Add Certificate Authorities - Plugin

To use this plugin, you must add certificate authority (CA) certificates. These are stored in a separate ca_certificates store rather than the main certificates store because they do not require private keys. To add one, obtain a PEM-encoded copy of your CA certificate and pass it to the /ca_certificates endpoint in a POST request:

Kong Admin API

Konnect

curl -X POST https://localhost:8001/ca_certificates -F cert=@cert.pem

The response will contain an id value that can now be used for the Header Cert Auth plugin configurations or consumer mappings.

Go through the Gateway Manager:

From the Konnect Gateway Manager.
Select a control plane and click Certificates
Select the CA Certificates tab and Add CA Certificate
Copy and paste your certificate information and click Save.

You can view the certificate listed in the Certificates tab.

To add a certificate via the Konnect API, you need:

Konnect control plane ID
A personal access token

curl -X POST https://konnect.konghq.com/api/control_planes/{controlPlaneID}/ca_certificates \
  -F cert=@testCACert.pem \
  --header "Authorization: Bearer TOKEN"

The id value returned can now be used for the Header Cert Auth plugin configurations or consumer mappings.

Important: To ensure proper certificate validation, it is important to upload all required Certificate Authorities (CAs) and their intermediates into the Kong CA store.

Failure to do so may result in incomplete certificate validation, as some WAF and load balancer providers only send the end-leaf certificate in their header, rather than encoding the entire certificate chain sent by the client. This is especially crucial when using the base64_encoded format.

前へ Header Cert Authenticationの基本構成例

次へ AWS ALB Integration