One of best explanation I found so far :) , Loved it. Keep up good work

dude.. loved it. great stuff

Thanks for the video. This part with the graphic was very useful for understanding

Thank you, @Sachin, for such great content. It is really helping me a lot! Now, for any ADHD viewer here, like me, just go get your coffee, take your time and come back to focus: i can assure you that it's not your whatsapp notification poping. Just (try to) ignore it and enjoy the lesson.

Very nice explanation. Great job

very nice video. thank you @sachin

Well explained 👏👏🙌

I just realized many other tutorials have missed/skipped step 6 in the pictures. The step to validate the cert with the CA. Thanks for clearing that up. 🎉

@riteshsinghania5

9 ай бұрын

Thanks for the video. Just to clarify on step # 6, client doesnt contact CA for validation directly over the network. It is client's browser which contains the CA certificate (Root CA & Issuing CA of the server certificate) in the browser trust store, this is where the validation chaining is computed and trusted.

Very nice.

thanks for the help

yes this is helpful @sachine

One trap I fell in for modern browsers, they don't really care about CN field anymore, rather they need it to be listed in the SAN (Subject Alternative Name) field

i mean is it same when i integrate several certificatesfiel which are included in cert chain into one cert file as ca.crt,then i used the client.crt which is not changed and integrated atalld to auth?i just failed in traefik environment.

@06:50 can you explain what is the -cacert you are passing in curl command, is that the client ca cert? if so why we are sending client ca cert to server?

One thing I am still confused about. If we use our client public certificate to send to the server and the server simply checks the trust store to make sure it's a trusted client - how does the server know that some other unauthorised/malicious client isn't using our public certificate and pretend to be us? it is a public cert after all Or are we saying this certificate is not truly public and should be treated like a private key? _______________ OR - do we say that no symmetrical key is generated, and instead both parties use the received public key to encrypt data (ensuring that the recipient can only read if they hold the private key)?) My idea would be server would encrypt some data using the public key, send to client and client must send back correct result to verify client holds the private key, THEN and only THEN can a symmetric key be used - but this is not explained anywhere. Please help (::

@sachinshukla6047

11 ай бұрын

I read it at a glance, your explanation at the last is true.. with handshake when public key is present in Server’s trust store then anything encrypted using that only the right client would be able to decrypt it

Can you explain how to generate a cliente certificate? I’m not sure what to place on the CN field since it’s a server. I would like to talk more in detail to you.

@sachinshukla6047

Жыл бұрын

Client can enter its own detail where it hosts in CN field

Root cert was Lil confusing.else it gave me a fair idea

but when i set up mtls in traefik,the cert returns the server.crt,but my leader told me cert chain containing several cert files including server.crt and ca.crt is normal but not single cert as server.crt

@zeyuanzhang1032

9 ай бұрын

use cat to concat them in one file is deal,but client.crt just cant identidy

Why you skip the curl command part?

My application is running in AWS ECS, the path to connect to my app externally is as follows: AWS route53 => Load Balancer => AWS ECS (my app runs here) Do you know if I could still perform mTLS in my app running in ECS? I think that the only way would be to introduce an AWS API Gateway. What do you think? By the way, I love this video, it is the best for this topic.

@sachinshukla6047

Жыл бұрын

Do you really have to use MTLS for your scenario…?.. to me it seems to be a public endpoint as you mentioned Route53. Moreover in ELB you can apply security groups (if ALB and not NLB) which ensures/restricts to the expected client…

@marcopierrefernandezburgos3116

Жыл бұрын

@@sachinshukla6047 we really need mTLS since the client do not have static IP. I figured out that we can use NLB instead of ALB. In this way the TLS operations can occur in our backend but it sounds better to introduce AWS API gateway since it already support mTLS out the box, thanks for your video and answer, I really appraicete it.

@sachinshukla6047

Жыл бұрын

Welcome 🙏

@Bishwakec

10 ай бұрын

@sachinshukla6047 do server need to add (public) client.crt instead of rootCA.crt at server trust store? If yes, on what scenario?

Hello sachin - how do contact you.. I have some professional need

@sachinshukla6047

8 ай бұрын

sks336@gmail.com you can email

Nice article. Helped me a lot. LOSE the fake accent PLEASE! Made following the video very difficult!

@sachinshukla6047

Жыл бұрын

this is my real accent

@kumarmanish9046

Жыл бұрын

@@sachinshukla6047 Where do you live?

@sachinshukla6047

Жыл бұрын

@@kumarmanish9046 Let me know if you have any queries related to the MTLS or technology in general.

@Mike-ci5io

4 ай бұрын

Very rude