このページは、まだ日本語ではご利用いただけません。翻訳中です。
Secure Control Plane and Data Plane Communications
Konnect uses a mutual TLS handshake (mTLS) to secure communication between the control plane and data plane nodes. Konnect control planes support data planes authenticating either with a certificate key pair (a pinned certificate) or a certificate signed by a CA (a PKI certificate).
- Pinned certificates: The data planes authenticate to the control plane using a shared certificate. For this option, the control plane and data plane nodes are provisioned with the same certificate. The control plane validates that the data planes established connection using the pinned certificate.
- Public Key Infrastructure (PKI) certificates: The data planes can establish connection using digital certificates signed by a certificate authority (CA). The control plane must be provisioned with the CA certificate. Konnect uses this certificate to build a chain of trust by verifying the certificates presented by the data planes. If there are intermediate authorities issuing the certificates, the data plane nodes must include the intermediate certificates while establishing connection to the control plane.
Certificate chain
You must upload enough of the certificate chain in the control plane so that the control plane can trust the certificate in the data plane request and authenticate.
Consider the following scenarios with this example cert chain:
Certificate | Type | Issuer |
---|---|---|
cert1 |
Service | Issued by Intermediary |
cert2 |
Intermediary | Issued by Root |
cert3 |
Root | Issued by Root (Self-signed) |
-
Upload only cert1 to the control plane: This is the pinned certificate. You can include just
cert1
in your data plane request and not include the chain. The control plane doesn’t need to evaluate the issuer because it trusts the cert itself. -
Upload only cert2 to the control plane: This would mean any cert coming in that has (issuer: intermediary) would be trusted. You can include just
cert1
in your data plane request. The control plane would trust any certificate issued by the intermediary public key. -
Upload only cert3 to the control plane: This is the typical PKI case. It means any cert signed by the root is trusted. However, since
cert1
is signed by an intermediary andcert2
is signed by root, you need to include bothcert1
andcert2
in your data plane request. The control plane would trust the whole chain becausecert2
is issued bycert3
andcert1
is issued bycert2
.
Generate certificates in Konnect
Konnect provides several options to generate or add a certificate for your data plane nodes.
Generate a certificate key pair
When you use the Konnect wizard to create a data plane node, it generates a certificate key pair. Data planes can establish a connection with this certificate key pair (pinned cert).
- Navigate to Gateway Manager in Konnect.
- Click on the control plane you want to create a data plane node for.
- Click Data Plane Nodes in the sidebar.
- Click Create a New Data Plane Node.
- Follow the instructions in the wizard to create a data plane node and generate the certificate key pair.
Generate a CA-signed certificate
Using the Konnect UI, you can generate a CA certificate, which allows data planes to connect using a certificate signed by that CA (PKI). Alternatively you can upload your own CA using the upload option.
- Navigate to Gateway Manager in Konnect.
- Click on the control plane you want to create a data plane node for.
- From the Action menu, select Data Plane Certificates.
- Either upload or generate a certificate.
Certificates generated by Konnect are valid for 10 years. If you bring your own certificates, make sure to review the expiration date and associated metadata. See Renew Certificates for a Data Plane Node for more details.