MTLS Part-I: / mtls-everything-you-ne... MTLS Part - II (API Gateway) / mtls-aws-api-gateway-p... Github: github.com/skshukla/tlsdemo.git
Жүктеу.....
Пікірлер: 36
@codedoctor326512 күн бұрын
One of best explanation I found so far :) , Loved it. Keep up good work
@bhanunm11 ай бұрын
dude.. loved it. great stuff
@user-yi5xm7ev5q Жыл бұрын
Thanks for the video. This part with the graphic was very useful for understanding
@AndreLuisPorto8 ай бұрын
Thank you, @Sachin, for such great content. It is really helping me a lot! Now, for any ADHD viewer here, like me, just go get your coffee, take your time and come back to focus: i can assure you that it's not your whatsapp notification poping. Just (try to) ignore it and enjoy the lesson.
@debashishbhattacharjee81887 ай бұрын
Very nice explanation. Great job
@aayushgore45456 ай бұрын
very nice video. thank you @sachin
@MarimuthuUdayakumarАй бұрын
Well explained 👏👏🙌
@MrBestard Жыл бұрын
I just realized many other tutorials have missed/skipped step 6 in the pictures. The step to validate the cert with the CA. Thanks for clearing that up. 🎉
@riteshsinghania5
9 ай бұрын
Thanks for the video. Just to clarify on step # 6, client doesnt contact CA for validation directly over the network. It is client's browser which contains the CA certificate (Root CA & Issuing CA of the server certificate) in the browser trust store, this is where the validation chaining is computed and trusted.
@narasimhaswamy74233 ай бұрын
Very nice.
@yoramnagavker21445 ай бұрын
thanks for the help
@firozalam2749Ай бұрын
yes this is helpful @sachine
@random4u11 ай бұрын
One trap I fell in for modern browsers, they don't really care about CN field anymore, rather they need it to be listed in the SAN (Subject Alternative Name) field
@zeyuanzhang10329 ай бұрын
i mean is it same when i integrate several certificatesfiel which are included in cert chain into one cert file as ca.crt,then i used the client.crt which is not changed and integrated atalld to auth?i just failed in traefik environment.
@MonojitBaruaАй бұрын
@06:50 can you explain what is the -cacert you are passing in curl command, is that the client ca cert? if so why we are sending client ca cert to server?
@LolToalNoobs Жыл бұрын
One thing I am still confused about. If we use our client public certificate to send to the server and the server simply checks the trust store to make sure it's a trusted client - how does the server know that some other unauthorised/malicious client isn't using our public certificate and pretend to be us? it is a public cert after all Or are we saying this certificate is not truly public and should be treated like a private key? _______________ OR - do we say that no symmetrical key is generated, and instead both parties use the received public key to encrypt data (ensuring that the recipient can only read if they hold the private key)?) My idea would be server would encrypt some data using the public key, send to client and client must send back correct result to verify client holds the private key, THEN and only THEN can a symmetric key be used - but this is not explained anywhere. Please help (::
@sachinshukla6047
11 ай бұрын
I read it at a glance, your explanation at the last is true.. with handshake when public key is present in Server’s trust store then anything encrypted using that only the right client would be able to decrypt it
@Letraveler_rd Жыл бұрын
Can you explain how to generate a cliente certificate? I’m not sure what to place on the CN field since it’s a server. I would like to talk more in detail to you.
@sachinshukla6047
Жыл бұрын
Client can enter its own detail where it hosts in CN field
@gayathrimamidipudi172126 күн бұрын
Root cert was Lil confusing.else it gave me a fair idea
@zeyuanzhang10329 ай бұрын
but when i set up mtls in traefik,the cert returns the server.crt,but my leader told me cert chain containing several cert files including server.crt and ca.crt is normal but not single cert as server.crt
@zeyuanzhang1032
9 ай бұрын
use cat to concat them in one file is deal,but client.crt just cant identidy
@BarkanErdogdu3 ай бұрын
Why you skip the curl command part?
@marcopierrefernandezburgos3116 Жыл бұрын
My application is running in AWS ECS, the path to connect to my app externally is as follows: AWS route53 => Load Balancer => AWS ECS (my app runs here) Do you know if I could still perform mTLS in my app running in ECS? I think that the only way would be to introduce an AWS API Gateway. What do you think? By the way, I love this video, it is the best for this topic.
@sachinshukla6047
Жыл бұрын
Do you really have to use MTLS for your scenario…?.. to me it seems to be a public endpoint as you mentioned Route53. Moreover in ELB you can apply security groups (if ALB and not NLB) which ensures/restricts to the expected client…
@marcopierrefernandezburgos3116
Жыл бұрын
@@sachinshukla6047 we really need mTLS since the client do not have static IP. I figured out that we can use NLB instead of ALB. In this way the TLS operations can occur in our backend but it sounds better to introduce AWS API gateway since it already support mTLS out the box, thanks for your video and answer, I really appraicete it.
@sachinshukla6047
Жыл бұрын
Welcome 🙏
@Bishwakec
10 ай бұрын
@sachinshukla6047 do server need to add (public) client.crt instead of rootCA.crt at server trust store? If yes, on what scenario?
@user-ok7ik6ht7h8 ай бұрын
Hello sachin - how do contact you.. I have some professional need
@sachinshukla6047
8 ай бұрын
sks336@gmail.com you can email
@kumarmanish9046 Жыл бұрын
Nice article. Helped me a lot. LOSE the fake accent PLEASE! Made following the video very difficult!
@sachinshukla6047
Жыл бұрын
this is my real accent
@kumarmanish9046
Жыл бұрын
@@sachinshukla6047 Where do you live?
@sachinshukla6047
Жыл бұрын
@@kumarmanish9046 Let me know if you have any queries related to the MTLS or technology in general.
Пікірлер: 36
One of best explanation I found so far :) , Loved it. Keep up good work
dude.. loved it. great stuff
Thanks for the video. This part with the graphic was very useful for understanding
Thank you, @Sachin, for such great content. It is really helping me a lot! Now, for any ADHD viewer here, like me, just go get your coffee, take your time and come back to focus: i can assure you that it's not your whatsapp notification poping. Just (try to) ignore it and enjoy the lesson.
Very nice explanation. Great job
very nice video. thank you @sachin
Well explained 👏👏🙌
I just realized many other tutorials have missed/skipped step 6 in the pictures. The step to validate the cert with the CA. Thanks for clearing that up. 🎉
@riteshsinghania5
9 ай бұрын
Thanks for the video. Just to clarify on step # 6, client doesnt contact CA for validation directly over the network. It is client's browser which contains the CA certificate (Root CA & Issuing CA of the server certificate) in the browser trust store, this is where the validation chaining is computed and trusted.
Very nice.
thanks for the help
yes this is helpful @sachine
One trap I fell in for modern browsers, they don't really care about CN field anymore, rather they need it to be listed in the SAN (Subject Alternative Name) field
i mean is it same when i integrate several certificatesfiel which are included in cert chain into one cert file as ca.crt,then i used the client.crt which is not changed and integrated atalld to auth?i just failed in traefik environment.
@06:50 can you explain what is the -cacert you are passing in curl command, is that the client ca cert? if so why we are sending client ca cert to server?
One thing I am still confused about. If we use our client public certificate to send to the server and the server simply checks the trust store to make sure it's a trusted client - how does the server know that some other unauthorised/malicious client isn't using our public certificate and pretend to be us? it is a public cert after all Or are we saying this certificate is not truly public and should be treated like a private key? _______________ OR - do we say that no symmetrical key is generated, and instead both parties use the received public key to encrypt data (ensuring that the recipient can only read if they hold the private key)?) My idea would be server would encrypt some data using the public key, send to client and client must send back correct result to verify client holds the private key, THEN and only THEN can a symmetric key be used - but this is not explained anywhere. Please help (::
@sachinshukla6047
11 ай бұрын
I read it at a glance, your explanation at the last is true.. with handshake when public key is present in Server’s trust store then anything encrypted using that only the right client would be able to decrypt it
Can you explain how to generate a cliente certificate? I’m not sure what to place on the CN field since it’s a server. I would like to talk more in detail to you.
@sachinshukla6047
Жыл бұрын
Client can enter its own detail where it hosts in CN field
Root cert was Lil confusing.else it gave me a fair idea
but when i set up mtls in traefik,the cert returns the server.crt,but my leader told me cert chain containing several cert files including server.crt and ca.crt is normal but not single cert as server.crt
@zeyuanzhang1032
9 ай бұрын
use cat to concat them in one file is deal,but client.crt just cant identidy
Why you skip the curl command part?
My application is running in AWS ECS, the path to connect to my app externally is as follows: AWS route53 => Load Balancer => AWS ECS (my app runs here) Do you know if I could still perform mTLS in my app running in ECS? I think that the only way would be to introduce an AWS API Gateway. What do you think? By the way, I love this video, it is the best for this topic.
@sachinshukla6047
Жыл бұрын
Do you really have to use MTLS for your scenario…?.. to me it seems to be a public endpoint as you mentioned Route53. Moreover in ELB you can apply security groups (if ALB and not NLB) which ensures/restricts to the expected client…
@marcopierrefernandezburgos3116
Жыл бұрын
@@sachinshukla6047 we really need mTLS since the client do not have static IP. I figured out that we can use NLB instead of ALB. In this way the TLS operations can occur in our backend but it sounds better to introduce AWS API gateway since it already support mTLS out the box, thanks for your video and answer, I really appraicete it.
@sachinshukla6047
Жыл бұрын
Welcome 🙏
@Bishwakec
10 ай бұрын
@sachinshukla6047 do server need to add (public) client.crt instead of rootCA.crt at server trust store? If yes, on what scenario?
Hello sachin - how do contact you.. I have some professional need
@sachinshukla6047
8 ай бұрын
sks336@gmail.com you can email
Nice article. Helped me a lot. LOSE the fake accent PLEASE! Made following the video very difficult!
@sachinshukla6047
Жыл бұрын
this is my real accent
@kumarmanish9046
Жыл бұрын
@@sachinshukla6047 Where do you live?
@sachinshukla6047
Жыл бұрын
@@kumarmanish9046 Let me know if you have any queries related to the MTLS or technology in general.
@Mike-ci5io
4 ай бұрын
Very rude