Thank you, @Sachin, for such great content. It is really helping me a lot! Now, for any ADHD viewer here, like me, just go get your coffee, take your time and come back to focus: i can assure you that it's not your whatsapp notification poping. Just (try to) ignore it and enjoy the lesson.
I just realized many other tutorials have missed/skipped step 6 in the pictures. The step to validate the cert with the CA. Thanks for clearing that up. 🎉
Thanks for the video. Just to clarify on step # 6, client doesnt contact CA for validation directly over the network. It is client's browser which contains the CA certificate (Root CA & Issuing CA of the server certificate) in the browser trust store, this is where the validation chaining is computed and trusted.
One trap I fell in for modern browsers, they don't really care about CN field anymore, rather they need it to be listed in the SAN (Subject Alternative Name) field
One thing I am still confused about. If we use our client public certificate to send to the server and the server simply checks the trust store to make sure it's a trusted client - how does the server know that some other unauthorised/malicious client isn't using our public certificate and pretend to be us? it is a public cert after all Or are we saying this certificate is not truly public and should be treated like a private key? _______________ OR - do we say that no symmetrical key is generated, and instead both parties use the received public key to encrypt data (ensuring that the recipient can only read if they hold the private key)?) My idea would be server would encrypt some data using the public key, send to client and client must send back correct result to verify client holds the private key, THEN and only THEN can a symmetric key be used - but this is not explained anywhere. Please help (::
I read it at a glance, your explanation at the last is true.. with handshake when public key is present in Server’s trust store then anything encrypted using that only the right client would be able to decrypt it
Can you explain how to generate a cliente certificate? I’m not sure what to place on the CN field since it’s a server. I would like to talk more in detail to you.
@06:50 can you explain what is the -cacert you are passing in curl command, is that the client ca cert? if so why we are sending client ca cert to server?
i mean is it same when i integrate several certificatesfiel which are included in cert chain into one cert file as ca.crt,then i used the client.crt which is not changed and integrated atalld to auth?i just failed in traefik environment.
My application is running in AWS ECS, the path to connect to my app externally is as follows: AWS route53 => Load Balancer => AWS ECS (my app runs here) Do you know if I could still perform mTLS in my app running in ECS? I think that the only way would be to introduce an AWS API Gateway. What do you think? By the way, I love this video, it is the best for this topic.
Do you really have to use MTLS for your scenario…?.. to me it seems to be a public endpoint as you mentioned Route53. Moreover in ELB you can apply security groups (if ALB and not NLB) which ensures/restricts to the expected client…
@@sachinshukla6047 we really need mTLS since the client do not have static IP. I figured out that we can use NLB instead of ALB. In this way the TLS operations can occur in our backend but it sounds better to introduce AWS API gateway since it already support mTLS out the box, thanks for your video and answer, I really appraicete it.
but when i set up mtls in traefik,the cert returns the server.crt,but my leader told me cert chain containing several cert files including server.crt and ca.crt is normal but not single cert as server.crt
Thank you, @Sachin, for such great content. It is really helping me a lot!
Now, for any ADHD viewer here, like me, just go get your coffee, take your time and come back to focus: i can assure you that it's not your whatsapp notification poping. Just (try to) ignore it and enjoy the lesson.
I just realized many other tutorials have missed/skipped step 6 in the pictures. The step to validate the cert with the CA. Thanks for clearing that up. 🎉
Thanks for the video. Just to clarify on step # 6, client doesnt contact CA for validation directly over the network. It is client's browser which contains the CA certificate (Root CA & Issuing CA of the server certificate) in the browser trust store, this is where the validation chaining is computed and trusted.
One of best explanation I found so far :) , Loved it. Keep up good work
awesome explanation with an example
One trap I fell in for modern browsers, they don't really care about CN field anymore, rather they need it to be listed in the SAN (Subject Alternative Name) field
Well explained 👏👏🙌
One thing I am still confused about. If we use our client public certificate to send to the server and the server simply checks the trust store to make sure it's a trusted client - how does the server know that some other unauthorised/malicious client isn't using our public certificate and pretend to be us? it is a public cert after all
Or are we saying this certificate is not truly public and should be treated like a private key?
_______________
OR - do we say that no symmetrical key is generated, and instead both parties use the received public key to encrypt data (ensuring that the recipient can only read if they hold the private key)?)
My idea would be server would encrypt some data using the public key, send to client and client must send back correct result to verify client holds the private key, THEN and only THEN can a symmetric key be used - but this is not explained anywhere. Please help (::
I read it at a glance, your explanation at the last is true.. with handshake when public key is present in Server’s trust store then anything encrypted using that only the right client would be able to decrypt it
Thanks for the video. This part with the graphic was very useful for understanding
dude.. loved it. great stuff
very nice video. thank you @sachin
Very nice explanation. Great job
Hi, Which tool you are using to executr this MTLS?
Can you explain how to generate a cliente certificate? I’m not sure what to place on the CN field since it’s a server. I would like to talk more in detail to you.
Client can enter its own detail where it hosts in CN field
@06:50 can you explain what is the -cacert you are passing in curl command, is that the client ca cert? if so why we are sending client ca cert to server?
Very nice.
Why you skip the curl command part?
yes this is helpful @sachine
i mean is it same when i integrate several certificatesfiel which are included in cert chain into one cert file as ca.crt,then i used the client.crt which is not changed and integrated atalld to auth?i just failed in traefik environment.
brother help is required ..please response if possible
thanks for the help
Root cert was Lil confusing.else it gave me a fair idea
My application is running in AWS ECS, the path to connect to my app externally is as follows:
AWS route53 => Load Balancer => AWS ECS (my app runs here)
Do you know if I could still perform mTLS in my app running in ECS? I think that the only way would be to introduce an AWS API Gateway. What do you think?
By the way, I love this video, it is the best for this topic.
Do you really have to use MTLS for your scenario…?.. to me it seems to be a public endpoint as you mentioned Route53.
Moreover in ELB you can apply security groups (if ALB and not NLB) which ensures/restricts to the expected client…
@@sachinshukla6047 we really need mTLS since the client do not have static IP. I figured out that we can use NLB instead of ALB. In this way the TLS operations can occur in our backend but it sounds better to introduce AWS API gateway since it already support mTLS out the box, thanks for your video and answer, I really appraicete it.
Welcome 🙏
@sachinshukla6047 do server need to add (public) client.crt instead of rootCA.crt at server trust store? If yes, on what scenario?
but when i set up mtls in traefik,the cert returns the server.crt,but my leader told me cert chain containing several cert files including server.crt and ca.crt is normal but not single cert as server.crt
use cat to concat them in one file is deal,but client.crt just cant identidy
Hello sachin - how do contact you.. I have some professional need
sks336@gmail.com you can email
Nice article. Helped me a lot. LOSE the fake accent PLEASE! Made following the video very difficult!
this is my real accent
@@sachinshukla6047 Where do you live?
@@kumarmanish9046 Let me know if you have any queries related to the MTLS or technology in general.
Very rude