Thank you, @Sachin, for such great content. It is really helping me a lot! Now, for any ADHD viewer here, like me, just go get your coffee, take your time and come back to focus: i can assure you that it's not your whatsapp notification poping. Just (try to) ignore it and enjoy the lesson.
Hi Sachin, I am trying to implement mTLS in tomcat. But it's not validating the leaf certificate. Just presence of root and intermediary seems enough. Can you please help how to ensure leaf level certificate validation
One thing I am still confused about. If we use our client public certificate to send to the server and the server simply checks the trust store to make sure it's a trusted client - how does the server know that some other unauthorised/malicious client isn't using our public certificate and pretend to be us? it is a public cert after all Or are we saying this certificate is not truly public and should be treated like a private key? _______________ OR - do we say that no symmetrical key is generated, and instead both parties use the received public key to encrypt data (ensuring that the recipient can only read if they hold the private key)?) My idea would be server would encrypt some data using the public key, send to client and client must send back correct result to verify client holds the private key, THEN and only THEN can a symmetric key be used - but this is not explained anywhere. Please help (::
I read it at a glance, your explanation at the last is true.. with handshake when public key is present in Server’s trust store then anything encrypted using that only the right client would be able to decrypt it
One trap I fell in for modern browsers, they don't really care about CN field anymore, rather they need it to be listed in the SAN (Subject Alternative Name) field
Can you explain how to generate a cliente certificate? I’m not sure what to place on the CN field since it’s a server. I would like to talk more in detail to you.
The explanation and article are beneficial, one feedback is to clearly specify to pass the "public key of " client/server/CA else it may be confusing for people. I first learnt about Asymmetric encryption then came here and it helped.
@06:50 can you explain what is the -cacert you are passing in curl command, is that the client ca cert? if so why we are sending client ca cert to server?
I just realized many other tutorials have missed/skipped step 6 in the pictures. The step to validate the cert with the CA. Thanks for clearing that up. 🎉
Thanks for the video. Just to clarify on step # 6, client doesnt contact CA for validation directly over the network. It is client's browser which contains the CA certificate (Root CA & Issuing CA of the server certificate) in the browser trust store, this is where the validation chaining is computed and trusted.
i mean is it same when i integrate several certificatesfiel which are included in cert chain into one cert file as ca.crt,then i used the client.crt which is not changed and integrated atalld to auth?i just failed in traefik environment.
but when i set up mtls in traefik,the cert returns the server.crt,but my leader told me cert chain containing several cert files including server.crt and ca.crt is normal but not single cert as server.crt
My application is running in AWS ECS, the path to connect to my app externally is as follows: AWS route53 => Load Balancer => AWS ECS (my app runs here) Do you know if I could still perform mTLS in my app running in ECS? I think that the only way would be to introduce an AWS API Gateway. What do you think? By the way, I love this video, it is the best for this topic.
Do you really have to use MTLS for your scenario…?.. to me it seems to be a public endpoint as you mentioned Route53. Moreover in ELB you can apply security groups (if ALB and not NLB) which ensures/restricts to the expected client…
@@sachinshukla6047 we really need mTLS since the client do not have static IP. I figured out that we can use NLB instead of ALB. In this way the TLS operations can occur in our backend but it sounds better to introduce AWS API gateway since it already support mTLS out the box, thanks for your video and answer, I really appraicete it.
Thank you, @Sachin, for such great content. It is really helping me a lot!
Now, for any ADHD viewer here, like me, just go get your coffee, take your time and come back to focus: i can assure you that it's not your whatsapp notification poping. Just (try to) ignore it and enjoy the lesson.
Hi Sachin, I am trying to implement mTLS in tomcat. But it's not validating the leaf certificate. Just presence of root and intermediary seems enough. Can you please help how to ensure leaf level certificate validation
One thing I am still confused about. If we use our client public certificate to send to the server and the server simply checks the trust store to make sure it's a trusted client - how does the server know that some other unauthorised/malicious client isn't using our public certificate and pretend to be us? it is a public cert after all
Or are we saying this certificate is not truly public and should be treated like a private key?
_______________
OR - do we say that no symmetrical key is generated, and instead both parties use the received public key to encrypt data (ensuring that the recipient can only read if they hold the private key)?)
My idea would be server would encrypt some data using the public key, send to client and client must send back correct result to verify client holds the private key, THEN and only THEN can a symmetric key be used - but this is not explained anywhere. Please help (::
I read it at a glance, your explanation at the last is true.. with handshake when public key is present in Server’s trust store then anything encrypted using that only the right client would be able to decrypt it
Thank you but it would make more sense if you showed 2 different apps client and server and adjust the application.yml accordingly.
noted
Hi, Which tool you are using to executr this MTLS?
One trap I fell in for modern browsers, they don't really care about CN field anymore, rather they need it to be listed in the SAN (Subject Alternative Name) field
Root cert was Lil confusing.else it gave me a fair idea
Can you explain how to generate a cliente certificate? I’m not sure what to place on the CN field since it’s a server. I would like to talk more in detail to you.
Client can enter its own detail where it hosts in CN field
brother help is required ..please response if possible
The explanation and article are beneficial, one feedback is to clearly specify to pass the "public key of " client/server/CA else it may be confusing for people. I first learnt about Asymmetric encryption then came here and it helped.
Also instead of passing the passphrase towards the end can we use symmetric session key encryption?
One of best explanation I found so far :) , Loved it. Keep up good work
@06:50 can you explain what is the -cacert you are passing in curl command, is that the client ca cert? if so why we are sending client ca cert to server?
I just realized many other tutorials have missed/skipped step 6 in the pictures. The step to validate the cert with the CA. Thanks for clearing that up. 🎉
Thanks for the video. Just to clarify on step # 6, client doesnt contact CA for validation directly over the network. It is client's browser which contains the CA certificate (Root CA & Issuing CA of the server certificate) in the browser trust store, this is where the validation chaining is computed and trusted.
i mean is it same when i integrate several certificatesfiel which are included in cert chain into one cert file as ca.crt,then i used the client.crt which is not changed and integrated atalld to auth?i just failed in traefik environment.
Why you skip the curl command part?
but when i set up mtls in traefik,the cert returns the server.crt,but my leader told me cert chain containing several cert files including server.crt and ca.crt is normal but not single cert as server.crt
use cat to concat them in one file is deal,but client.crt just cant identidy
awesome explanation with an example
yes this is helpful @sachine
Hello sachin - how do contact you.. I have some professional need
sks336@gmail.com you can email
Thanks for the video. This part with the graphic was very useful for understanding
Well explained 👏👏🙌
thanks for the help
very nice video. thank you @sachin
My application is running in AWS ECS, the path to connect to my app externally is as follows:
AWS route53 => Load Balancer => AWS ECS (my app runs here)
Do you know if I could still perform mTLS in my app running in ECS? I think that the only way would be to introduce an AWS API Gateway. What do you think?
By the way, I love this video, it is the best for this topic.
Do you really have to use MTLS for your scenario…?.. to me it seems to be a public endpoint as you mentioned Route53.
Moreover in ELB you can apply security groups (if ALB and not NLB) which ensures/restricts to the expected client…
@@sachinshukla6047 we really need mTLS since the client do not have static IP. I figured out that we can use NLB instead of ALB. In this way the TLS operations can occur in our backend but it sounds better to introduce AWS API gateway since it already support mTLS out the box, thanks for your video and answer, I really appraicete it.
Welcome 🙏
@sachinshukla6047 do server need to add (public) client.crt instead of rootCA.crt at server trust store? If yes, on what scenario?
Very nice explanation. Great job
Very nice.
dude.. loved it. great stuff
Nice article. Helped me a lot. LOSE the fake accent PLEASE! Made following the video very difficult!
this is my real accent
@@sachinshukla6047 Where do you live?
@@kumarmanish9046 Let me know if you have any queries related to the MTLS or technology in general.
Very rude