To use this plugin, you must add certificate authority (CA) certificates. These are
stored in a separate ca_certificates
store rather than the main certificates store because
they do not require private keys. To add one, obtain a PEM-encoded copy of your CA certificate
and pass it to the /ca_certificates
endpoint in a POST
request:
The id
value returned can now be used for the Header Cert Auth plugin configurations or consumer mappings.
Important: To ensure proper certificate validation, it is important to upload all required Certificate Authorities (CAs) and their intermediates into the Kong CA store.
Failure to do so may result in incomplete certificate validation, as some WAF and load balancer providers only send the end-leaf certificate in their header, rather than encoding the entire certificate chain sent by the client. This is especially crucial when using thebase64_encoded
format.