Create JSON Payloads for Mutual TLS (mTLS) Authentication on Confluent Cloud

JSON payloads provide a structured and standardized way to define and manage the various components and rules involved in mTLS authentication, facilitating secure and efficient communication between Confluent Cloud resources and your clients.

You can create JSON payloads for specifying access rules for the trusted client certificate authority (CA) chain that you want to configure for your Confluent Cloud organization. You should create a payload this way to preserve the formatting of the certificate_chain as a string when configuring the Certificate Authority in Confluent Cloud.

You can also create JSON payloads for your identity providers and identity pools.

JSON payload template

The following template shows how to create a JSON payload for a certificate authority (CA). Replace the placeholders with your actual values.

json_payload=$(jq -n \
  --arg name "<Name of Certificate Authority>" \
  --arg description "<Description of Certificate Authority>" \
  --arg certificate_chain "$(cat path/to/<ca-chain-filename>.pem)" \
  --arg certificate_chain_filename "<ca-chain-filename>.pem" \
    '{
      display_name: $name,
      description: $description,
      certificate_chain: $certificate_chain,
      certificate_chain_filename: $certificate_chain_filename
    }');

json_payload=$(jq -n \
  --arg name "<Name of Certificate Authority>" \
  --arg description "<Description of Certificate Authority>" \
  --arg certificate_chain "$(cat path/to/<ca-chain-filename>.pem)" \
  --arg certificate_chain_filename "<ca-chain-filename>.pem" \
  --argjson role_bindings '[]' \  # Example field for role bindings
  --arg identity_pool "<Identity Pool Name>" \  # Example field for identity pool
  --arg provider "<Provider Name>" \  # Example field for provider
    '{
      display_name: $name,
      description: $description,
      certificate_chain: $certificate_chain,
      certificate_chain_filename: $certificate_chain_filename,
      role_bindings: $role_bindings,
      identity_pool: $identity_pool,
      provider: $provider
    }');

JSON Payload Fields

Field	Description	Constraints
display_name	A human-readable name for the Certificate Authority (CA). This name helps users easily identify the CA within the system.	A concise string that clearly describes the CA.
description	A detailed explanation of the CA’s purpose or role. This can include information about the CA’s intended use or any specific details that differentiate it from other CAs.	A string that provides meaningful context about the CA.
certificate_chain	Contains the actual certificate chain in PEM format. It is crucial for establishing trust in the mTLS process, as it includes the public certificates that the server will use to verify client certificates.	Must be a valid PEM-encoded certificate chain, formatted correctly for parsing and validation.
certificate_chain_filename	The filename of the certificate chain file. Used for reference purposes, especially when managing multiple certificate files.	A string that matches the actual filename of the certificate chain file.
filter	The CEL filter used to match identities from the identity provider.	A string that defines the criteria for matching identities from the identity provider.
external_identifier	The external identifier for the identity pool.	A string that uniquely identifies the identity pool from the identity provider.
crl_url	The URL of the Certificate Revocation List (CRL).	A string that specifies the URL of the CRL.
crl_chain	The Base64-encoded Certificate Revocation List (CRL) chain.	A string that contains the Base64-encoded CRL chain.

Examples

Example:JSON payload for identity provider

The following example shows how to create a JSON payload for an identity provider. The certificate_chain field contains the actual certificate chain in PEM format.

json_payload=$(jq -n \
  --arg name "$name" \
  --arg description "$description" \
  --arg certificate_chain "$certificate_chain" \
  --arg certificate_chain_filename "$certificate_chain_filename" \
    '{
      display_name: $name,
      description: $description,
      certificate_chain: $certificate_chain,
      certificate_chain_filename: $certificate_chain_filename
    }')

For example, if you have a certificate authority (CA) chain file named acme-internal-client-ca.pem, you can generate JSON payload like this:

json_payload=$(jq -n \
  --arg name "Acme Internal Client CA" \
  --arg description "Acme certificate authority for internal client applications" \
  --arg certificate_chain "$(cat path/to/acme-internal-client-ca.pem)" \
  --arg certificate_chain_filename "acme-internal-client-ca.pem" \
    '{
      display_name: $name,
      description: $description,
      certificate_chain: $certificate_chain,
      certificate_chain_filename: $certificate_chain_filename
    }')

The resulting JSON payload would look like this:

{
  "display_name": "Acme Internal Client CA",
  "description": "Acme certificate authority for internal client applications",
  "certificate_chain": "-----BEGIN CERTIFICATE-----\nMIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw\nCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg\nR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00\nMDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT\nZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw\nEAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW\n+1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9\nItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T\nAQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI\nzj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW\ntL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1\n/q4AaOeMSQ+2b1tbFfLn\n-----END CERTIFICATE-----",
  "certificate_chain_filename": "acme-internal-client-ca.pem"
}

JSON payload for an identity provider:

json_payload=$(jq -n \
  --arg name "$name" \
  --arg description "$description" \
  --arg cert "$cert" \
  --arg file_name "$file_name" \
  '{
    name: $name,
    description: $description,
    cert: $cert,
    file_name: $file_name
  }')

JSON payload for an identity pool:

json_payload=$(jq -n \
  --arg display_name "$display_name" \
  --arg description "$description" \
  --arg filter "$filter" \
  --arg external_identifier "$external_identifier" \
  '{
    display_name: $display_name,
    description: $description,
    filter: $filter,
    external_identifier: $external_identifier
  }')

Related content

• Configure mTLS authentication on Confluent Cloud
• Manage certificate authorities
• Manage identity pools