Back to Learn
Certificates > Learn > mTLS Explained

mTLS Explained

Mutual TLS (mTLS) is a TLS handshake where both sides — client and server — present certificates and verify each other's identity. Standard TLS only authenticates the server; mTLS adds client authentication at the transport layer.

Standard TLS vs mTLS

Standard TLS:
  Client  ──────────────────>  Server
          <── Server Certificate
          (Client verified server identity)
          (Server does NOT verify client)

Mutual TLS:
  Client  ──────────────────>  Server
          <── Server Certificate
          ── Client Certificate ──>
          (Both sides verified each other)

In the mTLS handshake, the server sends a CertificateRequest message. The client responds with its own certificate and proves possession of the corresponding private key. The server validates the client certificate against its trusted CA list.

Use Cases

  • Service Mesh— Istio, Linkerd, and Consul Connect use mTLS to authenticate service-to-service communication automatically. Each pod gets a short-lived certificate from the mesh CA (SPIFFE/SPIRE).
  • API Authentication — stronger than API keys. The client proves identity cryptographically at the transport layer, before the application code runs.
  • Zero Trust Networks — mTLS ensures every connection is authenticated, regardless of network location. No implicit trust based on being “inside the firewall.”
  • IoT / Device Authentication — devices provisioned with unique certificates connect to backend services. Revocation is per-device.

Setup Overview

Setting up mTLS requires:

  1. A shared CA— both the server and all clients must trust a common CA (internal CA or dedicated intermediate).
  2. Server certificate — standard TLS server certificate, as usual.
  3. Client certificates — each client gets a unique certificate with TLS Client Authentication in Extended Key Usage.
  4. Server configuration — configure the server to require or request client certificates.

Kestrel (.NET) Configuration

builder.WebHost.ConfigureKestrel(options =>
{
    options.ConfigureHttpsDefaults(https =>
    {
        https.ClientCertificateMode =
            ClientCertificateMode.RequireCertificate;
        https.ClientCertificateValidation =
            (cert, chain, errors) =>
            {
                // Custom validation logic
                return errors == SslPolicyErrors.None;
            };
    });
});

nginx Configuration

server {
    listen 443 ssl;

    ssl_certificate      /etc/ssl/server.crt;
    ssl_certificate_key  /etc/ssl/server.key;

    # mTLS settings
    ssl_client_certificate /etc/ssl/client-ca.crt;
    ssl_verify_client      on;
    ssl_verify_depth       2;
}

Advantages and Disadvantages

Advantages

  • Strong cryptographic identity for both parties
  • Immune to credential theft (no passwords to steal)
  • Works at transport layer before app code runs
  • Fine-grained revocation per client certificate

Disadvantages

  • Certificate lifecycle management complexity
  • Client certificate distribution at scale
  • Debugging handshake failures is harder
  • Key storage security on client devices

Tip

For .NET microservices, consider using short-lived client certificates (hours, not years) rotated automatically. This limits the blast radius of a compromised key and eliminates the need for revocation infrastructure.

Generate a client authentication certificate using the Certificate Templates tool — select the “Client Auth” template to get started.