chapter six

6 Securing service-to-service communication with certificates

This chapter covers

Creating certificates and securing microservices with mutual Transport Layer Security (mTLS)
The challenges in certificate management, trust bootstrap, and certificate revocation in a highly distributed system
The solutions and workarounds to address the challenges in securing microservices with mTLS

In the past few chapters, we discussed how end-to-end security works in a typical microservices deployment and explored multiple options for securing the edge with an API gateway. Edge security deals with authenticating and authorizing the end user, which is a system accessing a microservice on behalf of a human user or another system. When the security screening at the edge is done, the end-user context is passed across to the downstream microservices. The focus of this chapter is securing communications among microservices with mutual Transport Layer Security (mTLS). mTLS is the most popular option for securing communications among microservices.

6.1 Why use mTLS?

6.1.1 Trusted certificate authority

6.1.2 Mutual TLS

6.1.3 HTTPS versus TLS

6.2 Creating certificates

6.2.1 Creating a CA

6.2.2 Generating keys for the order processing microservice

6.2.3 Generating keys for the inventory microservice

6.3 Securing microservices with TLS

6.3.1 Running the Order Processing microservice over TLS

6.3.2 Running the Inventory microservice over TLS

6.3.3 Communication between two microservices over TLS

6.4 Engaging mTLS

6.5 Challenges in key management

6.5.1 Key provisioning and trust bootstrap

6.5.2 Certificate revocation

6.6 Key rotation

6.7 Monitoring key use

6.8 SPIFFE

6.8.1 How SPIFFE/SPIRE works

6.8.2 What’s new in SPIFFE

6.9 Summary