~~NOTOC~~
====== Scenario 10.3: mTLS Deployment ======
**Category:** [[.:start|TLS/mTLS]] \\
**Complexity:** ⭐⭐⭐⭐ (High) \\
**Prerequisites:** Server and client certificates, PKI \\
**Estimated Time:** 30-45 Minutes
----
===== Description =====
This scenario describes the **complete deployment of an mTLS infrastructure** for mutual authentication between clients and servers.
**Use Cases:**
* Zero-Trust Architectures
* Service Mesh (Istio, Linkerd)
* API Security
* Microservices Communication
* IoT Device Authentication
----
===== Architecture =====
flowchart TD
subgraph PKI
ROOT[Root CA] --> INT_SRV[Intermediate CA Server]
ROOT --> INT_CLI[Intermediate CA Clients]
end
subgraph Server
INT_SRV --> SRV_CERT[Server Certificate]
SRV_CERT --> API[API Server]
end
subgraph Clients
INT_CLI --> CLI1[Client 1]
INT_CLI --> CLI2[Client 2]
INT_CLI --> CLI3[Service A]
end
CLI1 <-->|mTLS| API
CLI2 <-->|mTLS| API
CLI3 <-->|mTLS| API
----
===== 1. PKI Structure for mTLS =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
public class MtlsPkiSetup
{
public void CreateMtlsPki(string basePath)
{
using var ctx = PqCryptoContext.Initialize();
// Root CA
using var rootKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
var rootCert = ctx.CreateSelfSignedCertificate(
rootKey,
new DnBuilder().AddCN("mTLS Root CA").AddO("Example").Build(),
validDays: 3650,
extensions: new ExtBuilder()
.BasicConstraints(ca: true, pathLengthConstraint: 2, critical: true)
.KeyUsage(KeyUsageFlags.KeyCertSign | KeyUsageFlags.CrlSign, critical: true)
.Build()
);
SaveCertAndKey(basePath, "root-ca", rootCert, rootKey);
// Server Intermediate CA
using var serverIntKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
var serverIntCert = CreateIntermediateCa(
ctx, rootCert, rootKey, serverIntKey,
"mTLS Server Intermediate CA",
new[] { "dns:.example.com" } // Name Constraint
);
SaveCertAndKey(basePath, "server-int-ca", serverIntCert, serverIntKey);
// Client Intermediate CA
using var clientIntKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
var clientIntCert = CreateIntermediateCa(
ctx, rootCert, rootKey, clientIntKey,
"mTLS Client Intermediate CA",
null // No name constraints for clients
);
SaveCertAndKey(basePath, "client-int-ca", clientIntCert, clientIntKey);
Console.WriteLine("mTLS PKI created");
}
}
----
===== 2. Server Configuration =====
// ASP.NET Core Kestrel mTLS
builder.WebHost.ConfigureKestrel(options =>
{
options.ListenAnyIP(443, listenOptions =>
{
listenOptions.UseHttps(httpsOptions =>
{
// Server certificate
httpsOptions.ServerCertificate = new X509Certificate2(
"server.pfx", "ServerPassword!");
// Require client certificate
httpsOptions.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
// Accepted client CAs
httpsOptions.ClientCertificateValidation = (cert, chain, errors) =>
{
// Only accept certificates from our client CA
return ValidateClientCertificate(cert, chain);
};
});
});
});
bool ValidateClientCertificate(X509Certificate2 cert, X509Chain? chain)
{
// Load trusted client CA
var trustedClientCa = new X509Certificate2("client-int-ca.crt.pem");
// Build custom chain
var customChain = new X509Chain();
customChain.ChainPolicy.CustomTrustStore.Add(trustedClientCa);
customChain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
customChain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
// Check Extended Key Usage: clientAuth
customChain.ChainPolicy.ApplicationPolicy.Add(
new Oid("1.3.6.1.5.5.7.3.2"));
return customChain.Build(cert);
}
----
===== 3. Client Configuration =====
public HttpClient CreateMtlsClient(string clientCertPath, string clientKeyPath, string password)
{
using var ctx = PqCryptoContext.Initialize();
// Load client certificate
var clientCert = ctx.LoadCertificateWithPrivateKey(
clientCertPath,
clientKeyPath,
password
);
// Server trust store
var trustedServerCa = ctx.LoadCertificate("server-int-ca.crt.pem");
var handler = new HttpClientHandler
{
ClientCertificateOptions = ClientCertificateOption.Manual,
SslProtocols = SslProtocols.Tls13,
ServerCertificateCustomValidationCallback = (message, cert, chain, errors) =>
{
var customChain = new X509Chain();
customChain.ChainPolicy.CustomTrustStore.Add(trustedServerCa);
customChain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
// Extended Key Usage: serverAuth
customChain.ChainPolicy.ApplicationPolicy.Add(
new Oid("1.3.6.1.5.5.7.3.1"));
return customChain.Build(cert);
}
};
handler.ClientCertificates.Add(clientCert);
return new HttpClient(handler)
{
DefaultRequestHeaders = { { "User-Agent", "mTLS-Client/1.0" } }
};
}
----
===== 4. Nginx mTLS Reverse Proxy =====
server {
listen 443 ssl http2;
server_name api.example.com;
# Server certificate
ssl_certificate /etc/nginx/ssl/server-chain.pem;
ssl_certificate_key /etc/nginx/ssl/server.key.pem;
# Client authentication
ssl_client_certificate /etc/nginx/ssl/client-ca-chain.pem;
ssl_verify_client on;
ssl_verify_depth 2;
# CRL checking
ssl_crl /etc/nginx/ssl/client-ca.crl;
# TLS 1.3
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# OCSP Stapling for server cert
ssl_stapling on;
ssl_stapling_verify on;
location / {
# Forward client info to backend
proxy_set_header X-Client-Cert-Subject $ssl_client_s_dn;
proxy_set_header X-Client-Cert-Issuer $ssl_client_i_dn;
proxy_set_header X-Client-Cert-Serial $ssl_client_serial;
proxy_set_header X-Client-Cert-Fingerprint $ssl_client_fingerprint;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_pass http://backend:8080;
}
}
----
===== 5. Kubernetes mTLS (Istio) =====
# PeerAuthentication - mTLS for all services in namespace
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICT # mTLS mandatory
---
# DestinationRule - mTLS for outgoing connections
apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: default
namespace: production
spec:
host: "*.production.svc.cluster.local"
trafficPolicy:
tls:
mode: ISTIO_MUTUAL # Istio-managed certificates
---
# AuthorizationPolicy - Certificate-based authorization
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: api-access
namespace: production
spec:
selector:
matchLabels:
app: api-server
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/production/sa/frontend-service"]
namespaces: ["production"]
----
===== 6. Monitoring and Logging =====
public class MtlsLoggingMiddleware
{
private readonly RequestDelegate _next;
private readonly ILogger _logger;
public MtlsLoggingMiddleware(RequestDelegate next, ILogger logger)
{
_next = next;
_logger = logger;
}
public async Task InvokeAsync(HttpContext context)
{
var clientCert = context.Connection.ClientCertificate;
if (clientCert != null)
{
_logger.LogInformation(
"mTLS Request: Subject={Subject}, Thumbprint={Thumbprint}, " +
"Serial={Serial}, NotAfter={NotAfter}",
clientCert.Subject,
clientCert.Thumbprint,
clientCert.SerialNumber,
clientCert.NotAfter
);
// Warning for soon-expiring certificates
var daysUntilExpiry = (clientCert.NotAfter - DateTime.UtcNow).Days;
if (daysUntilExpiry < 30)
{
_logger.LogWarning(
"Client certificate expires in {Days} days: {Subject}",
daysUntilExpiry,
clientCert.Subject
);
}
}
await _next(context);
}
}
----
===== Industry-Specific mTLS Deployments =====
^ Industry ^ Infrastructure ^ Certificate Rotation ^ Special Feature ^
| **Cloud Native** | Istio/Linkerd | Automatic (SPIFFE) | Service Mesh |
| **Financial Sector** | Hardware LB | 90 days | HSM-backed |
| **Healthcare** | On-Premise | 1 year | Air-gap capable |
| **IoT** | Edge Gateway | 2-5 years | Offline capable |
----
===== Related Scenarios =====
^ Relationship ^ Scenario ^ Description ^
| **Prerequisite** | [[.:server_setup|10.1 TLS Server]] | Server side |
| **Prerequisite** | [[.:client_config|10.2 TLS Client]] | Client side |
| **Related** | [[en:int:pqcrypt:szenarien:authentifizierung:mtls_client_auth|9.1 mTLS Auth]] | Authentication |
| **Extension** | [[.:hybrid_tls|10.4 Hybrid TLS]] | PQ upgrade |
----
<< [[.:client_config|← 10.2 TLS Client]] | [[.:start|↑ TLS Overview]] | [[.:hybrid_tls|10.4 Hybrid TLS →]] >>
{{tag>scenario tls mtls deployment kubernetes istio}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//