Secure Control Plane and Data Plane Communications

Konnect uses a mutual TLS handshake (mTLS) to secure communication between the control plane and data plane nodes. Konnect control planes support data planes authenticating either with a certificate key pair (a pinned certificate) or a certificate signed by a CA (a PKI certificate).

Pinned certificates: The data planes authenticate to the control plane using a shared certificate. For this option, the control plane and data plane nodes are provisioned with the same certificate. The control plane validates that the data planes established connection using the pinned certificate.
Public Key Infrastructure (PKI) certificates: The data planes can establish connection using digital certificates signed by a certificate authority (CA). The control plane must be provisioned with the CA certificate. Konnect uses this certificate to build a chain of trust by verifying the certificates presented by the data planes. If there are intermediate authorities issuing the certificates, the data plane nodes must include the intermediate certificates while establishing connection to the control plane.

Certificate chain

You must upload enough of the certificate chain in the control plane so that the control plane can trust the certificate in the data plane request and authenticate.

Consider the following scenarios with this example cert chain:

Certificate	Type	Issuer
`cert1`	Service	Issued by Intermediary
`cert2`	Intermediary	Issued by Root
`cert3`	Root	Issued by Root (Self-signed)

Upload only cert1 to the control plane: This is the pinned certificate. You can include just cert1 in your data plane request and not include the chain. The control plane doesn’t need to evaluate the issuer because it trusts the cert itself.
Upload only cert2 to the control plane: This would mean any cert coming in that has (issuer: intermediary) would be trusted. You can include just cert1 in your data plane request. The control plane would trust any certificate issued by the intermediary public key.
Upload only cert3 to the control plane: This is the typical PKI case. It means any cert signed by the root is trusted. However, since cert1 is signed by an intermediary and cert2 is signed by root, you need to include both cert1 and cert2 in your data plane request. The control plane would trust the whole chain because cert2 is issued by cert3 and cert1 is issued by cert2.

Generate certificates in Konnect

Konnect provides several options to generate or add a certificate for your data plane nodes.

Generate a certificate key pair

When you use the Konnect wizard to create a data plane node, it generates a certificate key pair. Data planes can establish a connection with this certificate key pair (pinned cert).

Navigate to Gateway Manager in Konnect.
Click on the control plane you want to create a data plane node for.
Click Data Plane Nodes in the sidebar.
Click Create a New Data Plane Node.
Follow the instructions in the wizard to create a data plane node and generate the certificate key pair.

Generate a CA-signed certificate

Using the Konnect UI, you can generate a CA certificate, which allows data planes to connect using a certificate signed by that CA (PKI). Alternatively you can upload your own CA using the upload option.

Navigate to Gateway Manager in Konnect.
Click on the control plane you want to create a data plane node for.
From the Action menu, select Data Plane Certificates.
Either upload or generate a certificate.

Certificates generated by Konnect are valid for 10 years. If you bring your own certificates, make sure to review the expiration date and associated metadata. See Renew Certificates for a Data Plane Node for more details.