site banner

Small-Scale Question Sunday for October 20, 2024

Do you have a dumb question that you're kind of embarrassed to ask in the main thread? Is there something you're just not sure about?

This is your opportunity to ask questions. No question too simple or too silly.

Culture war topics are accepted, and proposals for a better intro post are appreciated.

3
Jump in the discussion.

No email address required.

Whatever HTTP library you use should support it. Just check the documentation for the library. The admins of the server might require you to send them a CSR so they can sign you a certificate. You can use openssl command line tools to generate a CSR. If you do need to generate a CSR the admins of the server should explain the requirements of the CSR and ideally they should give you the openssl command you can use to generate the CSR. Though, I guess depending on what this is for there might be security requirements about how key material is generated/stored.

I think the main potentially pitfall around mTLS is how libraries handle pooling if you use multiple certificates. Often libraries don't use the certificate as part of the pool key so if you try and make a request with certificate X you might end up making a request with certificate Y [!?]. But if you are only using a single certificate then this cannot happen.

mTLS also gives you the option of protecting the private key using a HSM so the key material is never exposed outside of the HSM. But I'm guessing this is probably overkill for whatever you are doing.

EDIT:

This is assuming you are using HTTP but I guess if you are just sending bytes over the wire or have another protocol then your TLS library documentation should explain how to use mTLS.