I’m using mTLS with Google Cloud for a load balancer. I have define a TrustAnchor defining my supported root CAs. The expectation would be that a certificate_authorities extension is included in the certificate_request_context extensions to inform the client which CAs are supported so that the client can use a correct key and certificate signed by this CA. But GC is not including this. Is there a flag or option how to enforce this?
Since the client is supporting multiple servers the client is using this for the certificate lookup, i.e. a fixed selection and presentation of the client certificate does not work.
1 Like
Hi @k_o_ ,
It looks like you’re facing an issue with Google Cloud mTLS not including the certificate_authorities extension in the certificate_request_context, which is needed to inform clients about the supported Certificate Authorities (CAs). This extension might not be supported by Google Cloud’s mTLS out-of-the-box.
You can try doing a Custom Implementation. If the certificate_authorities extension is essential for your use case, you may need to consider creating a custom implementation using a different load balancer or proxy that offers more control over the mTLS negotiation process.
If this will not work, contact Google Cloud Support to check your project and setup further.
1 Like