mTLS (Mutual TLS) Explained
What mutual TLS is, how it differs from standard TLS, how the mTLS handshake works, use cases like zero trust and service mesh, and how mTLS compares to API keys and OAuth.
In a standard TLS connection, only the server presents a certificate. The client verifies the server's identity, but the server has no cryptographic proof of who the client is. Mutual TLS (mTLS) changes this by requiring both sides to present and verify certificates. The server authenticates the client, and the client authenticates the server. This two-way authentication is the foundation of zero trust networking and is increasingly used for API-to-API communication, service meshes, and IoT device authentication. For background on how TLS works, see our SSL/TLS guide.
How Standard TLS Works (One-Way)
Before understanding mTLS, it helps to review what happens in a normal TLS connection.
- The client connects to the server and initiates the TLS handshake.
- The server sends its certificate to the client.
- The client verifies the server's certificate against its trust store (checking the certificate chain, expiration, revocation, and domain name).
- If the certificate is valid, the client and server negotiate encryption parameters and establish an encrypted session.
At no point does the server verify the client's identity cryptographically. The server knows the connection is encrypted, but it doesn't know who is on the other end. Client identity, if needed, is typically handled at the application layer (username/password, API key, OAuth token).
How mTLS Works (Two-Way)
mTLS adds client certificate verification to the handshake. Both parties present certificates, and both parties verify the other's certificate.
The mTLS handshake proceeds as follows:
- The client connects to the server and initiates the TLS handshake.
- The server sends its certificate to the client.
- The client verifies the server's certificate (same as standard TLS).
- The server sends a "CertificateRequest" message, asking the client to present its certificate.
- The client sends its certificate to the server.
- The server verifies the client's certificate against its trust store (checking the chain, expiration, and whether the client certificate is authorized).
- The client proves it possesses the private key corresponding to the certificate by signing a hash of the handshake messages (the "CertificateVerify" message).
- Both sides agree on encryption parameters and establish the encrypted session.
After this handshake, both parties have cryptographic proof of each other's identity. The server knows exactly which client connected (identified by the client certificate's subject or other fields), and the client knows it is talking to the legitimate server.
mTLS vs Standard TLS
| Aspect | Standard TLS | mTLS |
|---|---|---|
| Server authentication | Yes (server presents certificate) | Yes (server presents certificate) |
| Client authentication | No (handled at application layer) | Yes (client presents certificate) |
| Certificate management | Server certificates only | Server and client certificates |
| Setup complexity | Lower | Higher (client certs must be provisioned) |
| Use case | Public websites, general HTTPS | API-to-API, zero trust, IoT |
The key tradeoff is security vs operational complexity. mTLS provides stronger authentication but requires issuing, distributing, and managing client certificates for every entity that needs to connect. For a public website with millions of visitors, this is impractical. For a service mesh with 50 microservices, it is standard practice.
Use Cases for mTLS
API-to-API Communication
When two services communicate over a network (especially across the internet), mTLS provides strong mutual authentication without relying on shared secrets. Each service has its own certificate, and both sides verify the other. This is more secure than API keys, which can be leaked, logged, or stolen.
Zero Trust Architecture
Zero trust networking follows the principle of "never trust, always verify." Every connection between services must be authenticated, regardless of whether the services are on the same network. mTLS is the primary mechanism for implementing this. Even services within the same data center authenticate each other via certificates.
For the DNS perspective on zero trust security, see DNS security best practices.
Service Mesh
Service meshes like Istio, Linkerd, and Consul Connect use mTLS as the default communication method between services. The mesh sidecar proxy handles certificate management, rotation, and the mTLS handshake automatically. Application code doesn't need to be aware of mTLS at all.
Istio, for example, uses its own CA (Citadel, now integrated into istiod) to issue short-lived certificates to every pod in the mesh. These certificates are automatically rotated (typically every 24 hours) and used for all inter-service communication.
IoT Device Authentication
IoT devices that communicate with a backend server need to prove their identity. Pre-provisioning each device with a client certificate during manufacturing allows the server to authenticate every device connection. This is more robust than device IDs or tokens, which can be extracted from device firmware.
VPN and Remote Access
Some VPN solutions use client certificates for authentication instead of (or in addition to) username/password. This eliminates the risk of credential theft and phishing. The user's device must possess the correct private key to establish the connection.
Setting Up mTLS
The exact steps vary depending on your infrastructure, but the general process involves generating a CA, issuing certificates, and configuring both server and client.
Create or select a Certificate Authority
You need a CA to issue both server and client certificates. For internal services, this is typically a private CA that you operate. Tools like OpenSSL, cfssl, step-ca, or HashiCorp Vault can serve as your CA. For external partners, you might use a public CA or exchange CA certificates.
Issue the server certificate
Generate a key pair and certificate for the server, signed by your CA. This is the same as any TLS server certificate. The server's domain name should be in the Subject Alternative Name (SAN) field.
Issue client certificates
Generate a key pair and certificate for each client that needs to connect. The client certificate's subject (Common Name or SAN) should identify the client. Sign each certificate with your CA.
Configure the server to require client certificates
Configure your server (Nginx, Apache, Envoy, or application code) to require client certificate authentication. Provide the CA certificate so the server knows which client certificates to trust.
In Nginx, for example:
ssl_client_certificate /path/to/ca.crt;
ssl_verify_client on;
Configure clients to present their certificates
Each client must be configured with its certificate and private key. In curl, for example:
curl --cert client.crt --key client.key https://server.example.com
Test the connection
Verify that connections with valid client certificates succeed and connections without (or with invalid) certificates are rejected.
Certificate Management for mTLS
mTLS introduces significant certificate management overhead. Instead of managing a handful of server certificates, you now manage certificates for every client. This creates operational challenges that must be addressed.
Certificate issuance at scale. If you have hundreds of services, you need to automate certificate issuance. Manual CSR generation and signing doesn't scale. Tools like HashiCorp Vault, cert-manager (for Kubernetes), and step-ca provide automated certificate issuance.
Certificate rotation. Client certificates expire, and rotating them requires coordination. Best practice is to use short-lived certificates (hours to days) with automatic renewal. Service meshes handle this automatically. For other deployments, you need automation.
Certificate revocation. When a client is decommissioned or compromised, its certificate should be revoked. This faces the same challenges as any certificate revocation (CRL latency, OCSP availability). Short-lived certificates partially mitigate this: if a certificate expires in 24 hours, revocation is less urgent.
Trust store management. The server's trust store (the list of CA certificates it trusts for client authentication) must be kept current. If you rotate your CA certificate, all servers must be updated to trust the new CA.
Cloudflare mTLS
Cloudflare offers mTLS as a product called "Cloudflare Access" (part of their Zero Trust platform) and as "Authenticated Origin Pulls" for protecting the connection between Cloudflare's edge and your origin server.
Authenticated Origin Pulls configures the connection between Cloudflare and your origin to use mTLS. Cloudflare presents a client certificate to your origin, and your origin verifies it. This ensures that only requests coming through Cloudflare (not direct connections to your origin IP) are accepted.
Cloudflare Access with mTLS allows you to require client certificates for accessing applications behind Cloudflare. You upload your CA certificate to Cloudflare, and it verifies client certificates at the edge. This is useful for protecting internal applications without a VPN.
mTLS vs API Keys vs OAuth
| Aspect | mTLS | API Keys | OAuth 2.0 |
|---|---|---|---|
| Authentication type | Cryptographic (certificate) | Shared secret | Token-based |
| Mutual authentication | Yes | No (client authenticates server via TLS, server checks key) | No (server validates token) |
| Key/secret transmission | Never (private key stays local) | Sent with every request | Token sent with every request |
| Revocation | Certificate revocation (CRL/OCSP) | Delete from server | Token expiry or revocation |
| Complexity | High (certificate management) | Low | Medium (token lifecycle) |
| Best for | Service-to-service, zero trust | Simple integrations | User-facing APIs, delegated access |
mTLS is strongest for service-to-service authentication where both sides need cryptographic proof of identity. The private key never leaves the client, so there is no shared secret to steal.
API keys are simple to implement but are shared secrets. If an API key is logged, leaked in source code, or intercepted, it can be reused by an attacker. API keys also don't provide mutual authentication: the server checks the key, but the client relies on standard TLS for server verification.
OAuth 2.0 is designed for delegated authorization (a user authorizing an application to act on their behalf). It is not designed for machine-to-machine authentication, though the Client Credentials grant type is sometimes used for this. OAuth tokens are bearer tokens, meaning anyone who possesses the token can use it.
For machine-to-machine communication where security is critical, mTLS is the strongest option. For human-facing APIs with delegated access needs, OAuth is appropriate. API keys are suitable for low-risk integrations where simplicity is valued over security.
mTLS and OAuth can work together
In high-security environments, you can use both. mTLS authenticates the client at the transport layer, and OAuth handles authorization at the application layer. The server knows who the client is (mTLS) and what they are allowed to do (OAuth). This is common in financial services and healthcare APIs.
Understanding the difference between SSL and TLS and the types of certificates available will help you make informed decisions about your mTLS implementation.
References
- RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3
- Cloudflare - Mutual TLS
- Cloudflare - Authenticated Origin Pulls
- NIST SP 800-207 - Zero Trust Architecture
Never lose track of certificate expiry
Monitor all your certificates, including client certificates used for mTLS. Get alerts before they expire and avoid authentication failures.
Try SSL Certificate Expiry