Standard TLS only verifies the server. Mutual TLS verifies both sides. The foundation of zero trust architecture for service-to-service communication.
When to Use mTLS¶
- Microservices communication
- API-to-API communication
- IoT devices to server
- Zero trust environments
Creating certificates¶
CA¶
openssl genrsa -out ca-key.pem 4096 openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 3650 -subj “/CN=Internal CA”
Server cert¶
openssl genrsa -out server-key.pem 2048 openssl req -new -key server-key.pem -out server.csr -subj “/CN=api.internal” openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem -out server-cert.pem -days 365
Client cert¶
openssl genrsa -out client-key.pem 2048 openssl req -new -key client-key.pem -out client.csr -subj “/CN=service-a” openssl x509 -req -in client.csr -CA ca-cert.pem -CAkey ca-key.pem -out client-cert.pem -days 365
Nginx mTLS¶
server { listen 443 ssl; ssl_certificate /etc/ssl/server-cert.pem; ssl_certificate_key /etc/ssl/server-key.pem; ssl_client_certificate /etc/ssl/ca-cert.pem; ssl_verify_client on; }
Key Takeaway¶
mTLS verifies both sides of the communication. For microservices, use a service mesh (Istio, Linkerd).