Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?
This is your opportunity to ask questions. No question too simple or too silly.
Culture war topics are accepted, and proposals for a better intro post are appreciated.
Jump in the discussion.
No email address required.
Notes -
Hope everyone is doing well.
Currently, I am working as a software engineer with limited experience. My boss recently came up with an idea for a new product that requires mTLS to connect with a server. However, I’ve never worked with something like this before.
Does anyone have any good resources where I can learn more about this topic?
Any help would be greatly appreciated!
Hey I have previously worked on the same thing, I would highly recommend this book as a reference-
https://www.feistyduck.com/books/bulletproof-tls-and-pki/
More options
Context Copy link
Whatever HTTP library you use should support it. Just check the documentation for the library. The admins of the server might require you to send them a CSR so they can sign you a certificate. You can use openssl command line tools to generate a CSR. If you do need to generate a CSR the admins of the server should explain the requirements of the CSR and ideally they should give you the openssl command you can use to generate the CSR. Though, I guess depending on what this is for there might be security requirements about how key material is generated/stored.
I think the main potentially pitfall around mTLS is how libraries handle pooling if you use multiple certificates. Often libraries don't use the certificate as part of the pool key so if you try and make a request with certificate X you might end up making a request with certificate Y [!?]. But if you are only using a single certificate then this cannot happen.
mTLS also gives you the option of protecting the private key using a HSM so the key material is never exposed outside of the HSM. But I'm guessing this is probably overkill for whatever you are doing.
EDIT:
This is assuming you are using HTTP but I guess if you are just sending bytes over the wire or have another protocol then your TLS library documentation should explain how to use mTLS.
More options
Context Copy link
More options
Context Copy link