Mutual TLS Between Choreo Connect and Backend¶
In Mutual TLS, in addition to the client verifying the server, the server also verifies the client. By having Mutual TLS between Choreo Connect and the backend, both of the following security measures are applied.
- The router in Choreo Connect only creates connections with a verified set of backend servers.
- Backend servers would only accept connections by a previously introduced set of router instances.
Export the Certificates¶
Before you begin
For TLS, if the backend certificate has not been added to the Choreo Connect Router truststore already, use the following commands to create a key and a certificate for the backend, and add the certificate to the Router truststore.
Generate a private key for the backend.
openssl genpkey -out backend.key -algorithm RSA -pkeyopt rsa_keygen_bits:2048
Create the certificate.
The following command creates a self-signed certificate for the backend. Note the CN and SAN values. Having both in the backend certificate is necessary for the router to complete hostname verification when creating a connection with the backend.
openssl req -x509 -new -key backend.key -out backend.pem -subj "/CN=example.com" -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com"))
Add the certificate in
backend.pemto the router as described in Adding Certificates to Specific Clusters.
Important: The ciphers configured here must match the ciphers supported by your backend.
For Mutual TLS, in addition to the configurations done for TLS, the certificate of the router must also exist in the backend truststore.
Add the Router Certificate to the Backend Truststore¶
If the backend truststore is in
keytool -import -file mg.pem -alias router -keystore backend-truststore.jks
If the backend truststore is the usual
/etc/ssl/certs/ca-certificates.crt, append the content in
The certificate for router keystore can be found in