document validating client certificates against rootCA

TykTechnologies · Jul 12, 2024 · 7fddf4d · 7fddf4d
1 parent 2c867cf
commit 7fddf4d
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/tyk-docs/content/basic-config-and-security/security/mutual-tls/client-mtls.md b/tyk-docs/content/basic-config-and-security/security/mutual-tls/client-mtls.md
@@ -103,4 +103,15 @@ From a technical point of view, this is an extension of Auth token authenticatio
 
 You can do this ONLY through the manual "Create A Key" flow as an Admin Dashboard user.  Through the Portal, you must ONLY paste the contents of the public key, or cert as it is typically called.
 
+#### Can I use a root Certificate Authority (CA) certificate as a client certificate for mutual TLS (mTLS) authentication?
+
+Yes, you can upload a root CA certificate as a client certificate for static mTLS authentication. This configuration will allow clients presenting certificates signed by that CA to be validated.
+
+Key points:
+1. The root CA certificate can be used to be uploaded as a client certificate.
+2. Clients with certificates signed by this CA will be accepted.
+3. During verification, Tyk gateway traverses the certificate chain for validation.
+4. This approach does not work with dynamic mTLS.
+
+Note: Ensure that your root CA certificate is properly formatted and trusted within your system's certificate store.