You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have service A and service B which communicate with each other. I have a trust root configmap which consists Cert2a and Cert1 in the bundle (Cert1 issued Cert2a). I have the identity secret (scheme: Kubernetes.io/tls) which has Cert3a and Cert2a (Cert2a issued Cert3a) in tls.crt section.
If I replace Cert2a with another cert (Cert2b) issued by Cert1 i.e., Configmap would consist of Cert2b and Cert1, secret would consist of Cert3b and Cert2b (Cert3b issued by Cert2b) and restart one of the services, would the mtls still work ?
I feel yes, as intermediate certs Cert3b and Cert2b would still be validated against one of the root certs i.e., Cert1
When Service A contacts Service B Does Service B send (leaf, Cert3a, Cert2a) or (leaf, Cert3a, Cert2a, Cert1) for establishing trust chain. I feel it's (leaf, Cert3a, Cert2a) as the server only sends leaf and Intermediate certs for verification right?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
I have service A and service B which communicate with each other. I have a trust root configmap which consists Cert2a and Cert1 in the bundle (Cert1 issued Cert2a). I have the identity secret (scheme: Kubernetes.io/tls) which has Cert3a and Cert2a (Cert2a issued Cert3a) in tls.crt section.
I feel yes, as intermediate certs Cert3b and Cert2b would still be validated against one of the root certs i.e., Cert1
Please let me know if my understanding is wrong
Beta Was this translation helpful? Give feedback.
All reactions