Secure Control Plane and Data Plane Communications
Konnect uses a mutual TLS handshake (mTLS) for authentication between data plane and control plane so the actual private key is never transferred on the network, and communication between the control plane and data plane nodes is secure. Konnect supports two modes for handling certificate/key pairs:
- Pinned mode: This is the default mode. The same public key is added to the data plane and the control plane, and the control plane uses this public key to authenticate the data plane. Validation of the certificate only happens on the control plane.
- Public Key Infrastructure (PKI) mode: This mode uses digital certificates signed by a certificate authority, or a chain of certificate authorities, to authenticate between control plane and data plane. The public key is added to the data plane, while the chain of certificate authority is added to the control plane. Any certificate authority from the chain can be used to authenticate between dataplane and control plane. Konnect validates both the control plane and data plane sides by checking if they are from the same certificate authority, thereby increasing the security of the network and eliminating the risks associated with transporting private keys. This mode is only supported for Control Plane and Control Plane Groups.
Set certificate authentication mode
You specify which certificate authentication mode is used at the control plane level. You can select between Pinned mode and PKI mode while creating a control plane, or edit the control plane to select a different mode.
You need to upload enough of the certificate chain in the control plane so that the control plane can trust the certificate in the dataplane request and authenticate.
Consider the following scenarios with this example cert chain:
Certificate | Type | Issuer |
---|---|---|
cert1 |
Service | Issued by Intermediary |
cert2 |
Intermediary | Issued by Root |
cert3 |
Root | Issued by Root (Self-signed) |
-
Upload only cert1 to the control plane: This is the Pinned mode. You can include just
cert1
in your data plane request and not include the chain. The control plane doesn’t need to evaluate the issuer because it trusts the cert itself. -
Upload only cert2 to the control plane: This would mean any cert coming in that has (issuer: intermediary) would be trusted. You can include just
cert1
in your data plane request. The control plane would trust any certificate issued by the intermediary public key. -
Upload only cert3 to the control plane: This is the typical PKI case. It means any cert signed by the root is trusted. However, since
cert1
is signed by an intermediary andcert2
is signed by root, you need to include bothcert1
andcert2
in your data plane request. The control plane would trust the whole chain becausecert2
is issued bycert3
andcert1
is issued bycert2
.
You can generate pinned certificates in Konnect or bring your own pinned and PKI certificates. Data plane certificates generated by Konnect expire every ten years. If you bring your own certificates, make sure to review the expiration date and associated metadata. See Renew Certificates for a Data Plane Node for more details.