Secure Control Plane and Data Plane Communications
Konnect uses a mutual TLS handshake (mTLS) for authentication between data plane and control plane so the actual private key is never transferred on the network, and communication between the control plane and data plane nodes is secure. Konnect supports two modes for handling certificate/key pairs:
Pinned mode: This is the default mode. The same public key is added to the data plane and the control plane, and the control plane uses this public key to authenticate the data plane. Validation of the certificate only happens on the control plane.
Public Key Infrastructure (PKI) mode: This mode uses digital certificates signed by a certificate authority, or a chain of certificate authorities, to authenticate between control plane and data plane. The public key is added to the data plane, while the chain of certificate authority is added to the control plane. Any certificate authority from the chain can be used to authenticate between dataplane and control plane. Konnect validates both the control plane and data plane sides by checking if they are from the same certificate authority, thereby increasing the security of the network and eliminating the risks associated with transporting private keys. This mode is only supported for Control Plane and Control Plane Groups.
Set certificate authentication mode
You specify which certificate authentication mode is used at the control plane level. You can select between Pinned mode and PKI mode while creating a control plane, or edit the control plane to select a different mode.
You need to upload enough of the certificate chain in the control plane so that the control plane can trust the certificate in the dataplane request and authenticate.
Consider the following scenarios with this example cert chain:
||(issuer: root / self signed)
Upload only cert1 to the control plane: This is the Pinned mode. You can include just
cert1 in your data plane request and not include the chain. The control plane doesn’t need to evaluate the issuer because it trusts the cert itself.
Upload only cert2 to the control plane: This would mean any cert coming in that has (issuer: intermediary) would be trusted. You can include just
cert1 in your data plane request. The control plane would trust any certificate issued by the intermediary public key.
Upload only cert3 to the control plane: This is the typical PKI case. It means any cert signed by the root is trusted. However, since
cert1 is signed by an intermediary and
cert2 is signed by root, you need to include both
cert2 in your data plane request. The control plane would trust the whole chain because
cert2 is issued by
cert1 is issued by
You can generate pinned certificates in Konnect or bring your own pinned and PKI certificates. Data plane certificates generated by Konnect expire every ten years. If you bring your own certificates, make sure to review the expiration date and associated metadata. See Renew Certificates for a Data Plane Node for more details.