Create JSON Payloads for Mutual TLS (mTLS) Authentication on Confluent Cloud¶
JSON payloads provide a structured and standardized way to define and manage the various components and rules involved in mTLS authentication, facilitating secure and efficient communication between Confluent Cloud resources and your clients.
You can create JSON payloads for specifying access rules for the trusted client
certificate authority (CA) chain that you want to configure for your Confluent Cloud
organization. You should create a payload this way to preserve the formatting
of the certificate_chain
as a string when configuring the Certificate
Authority in Confluent Cloud.
You can also create JSON payloads for your identity providers and identity pools.
JSON payload template¶
The following template shows how to create a JSON payload for a certificate authority (CA). Replace the placeholders with your actual values.
json_payload=$(jq -n \
--arg name "<Name of Certificate Authority>" \
--arg description "<Description of Certificate Authority>" \
--arg certificate_chain "$(cat path/to/<ca-chain-filename>.pem)" \
--arg certificate_chain_filename "<ca-chain-filename>.pem" \
'{
display_name: $name,
description: $description,
certificate_chain: $certificate_chain,
certificate_chain_filename: $certificate_chain_filename
}');
json_payload=$(jq -n \
--arg name "<Name of Certificate Authority>" \
--arg description "<Description of Certificate Authority>" \
--arg certificate_chain "$(cat path/to/<ca-chain-filename>.pem)" \
--arg certificate_chain_filename "<ca-chain-filename>.pem" \
--argjson role_bindings '[]' \ # Example field for role bindings
--arg identity_pool "<Identity Pool Name>" \ # Example field for identity pool
--arg provider "<Provider Name>" \ # Example field for provider
'{
display_name: $name,
description: $description,
certificate_chain: $certificate_chain,
certificate_chain_filename: $certificate_chain_filename,
role_bindings: $role_bindings,
identity_pool: $identity_pool,
provider: $provider
}');
JSON Payload Fields¶
Field | Description | Constraints |
---|---|---|
display_name |
A human-readable name for the Certificate Authority (CA). This name helps users easily identify the CA within the system. | A concise string that clearly describes the CA. |
description |
A detailed explanation of the CA’s purpose or role. This can include information about the CA’s intended use or any specific details that differentiate it from other CAs. | A string that provides meaningful context about the CA. |
certificate_chain |
Contains the actual certificate chain in PEM format. It is crucial for establishing trust in the mTLS process, as it includes the public certificates that the server will use to verify client certificates. | Must be a valid PEM-encoded certificate chain, formatted correctly for parsing and validation. |
certificate_chain_filename |
The filename of the certificate chain file. Used for reference purposes, especially when managing multiple certificate files. | A string that matches the actual filename of the certificate chain file. |
filter |
The CEL filter used to match identities from the identity provider. | A string that defines the criteria for matching identities from the identity provider. |
external_identifier |
The external identifier for the identity pool. | A string that uniquely identifies the identity pool from the identity provider. |
crl_url |
The URL of the Certificate Revocation List (CRL). | A string that specifies the URL of the CRL. |
crl_chain |
The Base64-encoded Certificate Revocation List (CRL) chain. | A string that contains the Base64-encoded CRL chain. |
Examples¶
Example:JSON payload for identity provider¶
The following example shows how to create a JSON payload for an identity
provider. The certificate_chain
field contains the actual certificate chain
in PEM format.
json_payload=$(jq -n \
--arg name "$name" \
--arg description "$description" \
--arg certificate_chain "$certificate_chain" \
--arg certificate_chain_filename "$certificate_chain_filename" \
'{
display_name: $name,
description: $description,
certificate_chain: $certificate_chain,
certificate_chain_filename: $certificate_chain_filename
}')
For example, if you have a certificate authority (CA) chain file named
acme-internal-client-ca.pem
, you can generate JSON payload like this:
json_payload=$(jq -n \
--arg name "Acme Internal Client CA" \
--arg description "Acme certificate authority for internal client applications" \
--arg certificate_chain "$(cat path/to/acme-internal-client-ca.pem)" \
--arg certificate_chain_filename "acme-internal-client-ca.pem" \
'{
display_name: $name,
description: $description,
certificate_chain: $certificate_chain,
certificate_chain_filename: $certificate_chain_filename
}')
The resulting JSON payload would look like this:
{
"display_name": "Acme Internal Client CA",
"description": "Acme certificate authority for internal client applications",
"certificate_chain": "-----BEGIN CERTIFICATE-----\nMIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw\nCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg\nR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00\nMDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT\nZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw\nEAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW\n+1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9\nItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T\nAQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI\nzj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW\ntL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1\n/q4AaOeMSQ+2b1tbFfLn\n-----END CERTIFICATE-----",
"certificate_chain_filename": "acme-internal-client-ca.pem"
}
JSON payload for an identity provider:
json_payload=$(jq -n \
--arg name "$name" \
--arg description "$description" \
--arg cert "$cert" \
--arg file_name "$file_name" \
'{
name: $name,
description: $description,
cert: $cert,
file_name: $file_name
}')
JSON payload for an identity pool:
json_payload=$(jq -n \
--arg display_name "$display_name" \
--arg description "$description" \
--arg filter "$filter" \
--arg external_identifier "$external_identifier" \
'{
display_name: $display_name,
description: $description,
filter: $filter,
external_identifier: $external_identifier
}')