I'm using mTLS with Google Cloud for a load balancer. I have defined a TrustAnchor defining my supported root CAs. The expectation would be that a certificate_authorities extension is included in the certificate_request_context extensions to inform the client which CAs are supported so that the client can use a correct key and certificate signed by this CA. But GC is not including this. Is there a flag or option how to enforce this?
Since the client is supporting multiple servers the client is using this for the certificate lookup, i.e. a fixed selection and presentation of the client certificate does not work.
Posting my comment as an answer. Please also consider what @JohnHanley mentioned regarding feature request
AFAIK. Google Cloud's load balancers do not support customizing the certificate_authorities extension in the certificate_request_context for mTLS. Since clients have multiple servers, I'm afraid you can't do a fixed selection and presentation on your client certificate. I believe an alternative approach should be considered.