mTLS: restrict client cert to specific subdomain?
tldr
Via mTLS, I'm trying to find a way of issuing a client cert that only grants that client to access a specific subdomain. I have a suspicion that this isn't possible, but I'm not certain.
What I'm trying to accomplish
Let's say I have a server listening to anything routed to *.foo.flar.com
Each customer is assigned their own subdomain that satisfies the wildcard in the server's address.
For example, customer1
should access the server via customer1.foo.flar.com
, and customer2
should access the server via customer2.foo.flar.com
.
Further, one customer must be prevented from accessing the server using a different customer's subdomain. So, it is illegal for customer1
to request customer2.foo.flar.com
, and such a request should be rejected.
I was hoping that I could accomplish this at the session layer via mTLS and some clever SAN cert usage, but I'm having trouble getting it to work properly.
How I have things setup
I'm pretty new to playing around with TLS, so a lot of this came from this SO answer about SAN configuration and this article about basic mTLS configuration.
I've omitted some things here like CA cert generation and client and server CSR generation to try and keep things focused, but can add it if you'd like.
I created a server cert using something like:
openssl x509 \
-req \
-extfile <(printf "subjectAltName=DNS:*.foo.flar.com") \
-days 365 \
-in server.csr \
-CA ca.crt \
-CAkey ca.key \
-CAcreateserial \
-out server.crt
Then I created a client cert using something like:
openssl x509 \
-req \
-extfile <(printf "subjectAltName=DNS:customer1.foo.flar.com") \
-days 365 \
-in client.csr \
-CA ca.crt \
-CAkey ca.key \
-CAcreateserial \
-out client.crt
The server (written in Go) is configured to require and verify client certs.
The problem
The problem is that when I test this setup, the connection succeeds when I would expect it to fail.
If I have a client issued the customer1
cert call the server at customer1.foo.flar.com
, the connection succeeds.
However, if I have a client issued the customer1
cert call the server at customer2.foo.flar.com
, that connection also succeeds when I would expect it to fail.
I was hoping that, upon inspection of the client's cert, the server would see that customer1
does not have access to customer2...
, and would reject the request. But this does not seem to be happening.
Ideas?
Solution 1:
Client certificates contain only the information to authenticate the user. Any restrictions on what the authenticated user can do (authorization) including on which site the certificate will be accepted are up to the server who checks the certificate.