How It Works¶
Standard TLS: client verifies server. mTLS: both sides verify each other.
Certificates¶
CA¶
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout ca.key -out ca.crt -subj ‘/CN=MyCA’
Server¶
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj ‘/CN=server’ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
Client¶
openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj ‘/CN=client’ openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt
Nginx¶
ssl_client_certificate /etc/ssl/ca.crt; ssl_verify_client on;
curl¶
curl –cert client.crt –key client.key –cacert ca.crt https://api.example.com
mTLS = Zero Trust¶
Automatic in a service mesh. For your own services, use an internal CA.
mtlstlssecurityzero trust