SNIs
An SNI (Server Name Indication)object represents a many-to-many mapping between hostnames of services and certificate. Therefore, a single certificate object can be shared by multiple services through the use of SNI.
How SNI Works
Since API7 Gateway sits in front of the actual backend services, it acts as the server in the handshake.
When a client initiates an SSL/TLS connection, it includes the hostname it is trying to reach in the Server Name Indication (SNI) field of the TLS handshake. Server uses the SNI received from the client to select the appropriate SSL certificate from its repository. Then server presents the matched certificate to the client, completing the TLS handshake and establishing a secure connection.
In mTLS, CA certificate is also needed along with the SLL certificate. After server presents its certificate, the client also presents its own certificate to the server. The server verifies the client certificate using the public key. This ensures that the client is authenticated and authorized to access the server's resources. Both the client and the server have now verified each other's identities, establishing a secure and mutually authenticated connection
Use Cases
- Efficient use of resources: Allows multiple services with different hostnames to share certificate management, reducing infrastructure costs and complexity.
- Enhanced security: Ensures that the correct SSL certificate is presented for each hostname, maintaining secure connections and preventing potential security breaches.
Additional Resources
- Key Concepts
- API Security