I am trying to enable Mutual TLS based authentication for an application deployed in a Kubernetes cluster.

Use cases:

1. Want to restrict access to our application to only those users with trusted client cert.
2. Based on certain situations/conditions, I would also want to revoke the certificate of a specific user so that the user is no longer able to access the application with his/her certificate.

I tried setting up Mutual TLS at kuberentes ingress controller (nginx based), by adding the following annotations.

    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    nginx.ingress.kubernetes.io/auth-tls-secret: "ca-cert"

ca-cert is the kubernetes secret containing the CA certificate used to issue client certs. In this way ingress validates the client certificate sent as part of the request against ca-cert.

This works very well for any client certs signed by ca-cert. I am trying to come up with solution for certificate revocation process. Need advice on this.

Is it possible to trust individual client cert instead of a CA Cert in ingress? This will help us revoke individual client certs.