mTLS

Generate a Certificate Signing Request (CSR)

For Knot to authenticate your requests via mTLS, it's necessary for you to generate a private key and a corresponding CSR. The CSR requirements from Knot include the use of RSA 2048 as the key algorithm and SHA2-256 as the hash algorithm. Additionally, the Common Name (CN) attribute needs to be assigned to your Knot client ID (referred to as [YOUR_CLIENT_ID] in the examples that follow) to prevent any mix-ups with other clients that you currently have or might add in the future.

The tool you prefer can be utilized to generate the private key and CSR. Here's an illustration of how to do it with OpenSSL:

openssl req \
    -new -sha256 -newkey rsa:2048 -nodes \
    -subj '/CN=[YOUR_CLIENT_ID]' \
    -keyout client.key -out client.req

Keep the generated private key secure. This will be used in later API requests.

Reach out to us

Reach out to us at [email protected] to forward the CSR file you've created, asking for mTLS to be activated for your Knot client ID. Within 2 business days, you'll receive a client certificate signed by Knot. This certificate, in conjunction with your private key, will serve as the authentication mechanism for interacting with the Knot API.

Accessing the Knot API over mTLS

Once you get the client certificate signed by Knot, all the requests using your Knot client ID will require mTLS. You need to attach the client.cert and client.key in your HTTP client.