Networking
mTLS v praxi
mTLS: server i klient ověřují certifikáty. Základ Zero Trust.
Jak funguje
Standardní TLS: klient ověřuje server. mTLS: obě strany.
Certifikáty
# CA
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout ca.key -out ca.crt -subj '/CN=MyCA'
# Server
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj '/CN=server'
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# Client
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj '/CN=client'
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
Nginx
ssl_client_certificate /etc/ssl/ca.crt;
ssl_verify_client on;
curl
curl --cert client.crt --key client.key --cacert ca.crt https://api.example.com
mTLS = Zero Trust
V service mesh je automatický. Pro vlastní služby interní CA.