We used to do secure communication over the internet using the widely adopted methods as TLS: Transport Layer Security is formerly known for better version SSL 3.0.
The attacks such as POODLE made the security protocol SSL 3.0 not secure anymore. All the users were informed to revoke using it in order to avoid compromising users' private information.
As an alternative and a better approach, mTLS(Mutual Transport Layer Security) was introduced. mTLS makes the client and server connections secure and trusted.
For example, cloud organizations have multiple products & multiple environments. There could be many security breaches and data exposure happens when communicating between these environments and across products. As a method of building trust between products and environments, mTLS can be used.
Let’s see how mTLS works
Consider there are 3 products product A, B, and C that communicates to a single resource. In this scenario, communications from each product to the resource can be authenticated using mTLS. Let's say a client certificate that authenticates the communication to the resource is installed in products A and B. Then communications from products A and B will be authenticated but traffic from product C will be denied since there is no client certificate installed in product C to authenticate.
![]()
(Referring to the above image, when all the authorization is completed the service which has the rootCA Certification will authorize any connection that comes with client certification. If it does not have the proper client cert which is not created using the rootCA will not be authorized.)
Let's see how we can create a rootCA and client cert with key,
Server-Side Certificate Creation
Generate the Server CA key
OpenSSL > genrsa -des3 -out rootCa”<env>.key 4096
Eg: For dev environment
OpenSSL > genrsa -des3 -out rootCaDev.key 4096
You will be requested to enter a passphrase. Use the following commands and generate a 20 digit passphrase.
MacOS: pwgen -c -n -y -s -B -1 35 -r "\"'\`<>"
Ref - https://formulae.brew.sh/formula/pwgen
Linux: pwgen -c -n -y -s -1 35 | sed -E "s/\"|<|>|\`|'/$(($RANDOM % 9))/g"
Ref - https://linuxconfig.org/how-to-use-a-command-line-random-password-generator-pwgen-on-linux
(Your initial CA key will be generated and will be stored as rootCa<env>.key file in the path of the open terminal. You can view the CA key using any text editor.)
Create and self-sign the Root Certificate using the following command,
req -x509 -new -nodes -key rootCa<env>.key -sha256 -days 3650 -out rootCa<env>.crt
Eg: For Dev environment,
Openssl > req -x509 -new -nodes -key rootCa.key -sha256 -days 3650 -out rootCaDev.crt
(This command will prompt for the following information which will be contained in the certificate.)
| Prompt |
Response |
| Country Name: |
Two-letter abbreviation of Country name |
| State or Province Name: |
State or Province name |
| Locality Name: |
City, Town, or Suburb name |
| Organization Name: |
Name of the organization or Company |
| Organizational Unit Name: |
The organizational name which should be a representation of the CA’s name |
| Common Name: |
Either be a person responsible for the operation of the CA or a generic name representing the CA itself |
| Email Address: |
An e-mail address that can be used to notify about concerns about certificates. This should be someone responsible for the CA. |
| A challenge password []: |
- |
| An optional company name []: |
- |
Once the above details are given a Certificate file will be created in the path of your open terminal.
The CA key should be uploaded to a secured key vault along with the passphrase.
Share ONLY the Certificate created among the relevant parties.
Client-Side Certificate Creation
Generate the Client certificate key,
genrsa -out <env>.<product>.<env>.key 2048
Eg: For dev environment,
OpenSSL > genrsa -out dev.productA.dev.key 2048
2.2. Generate the Certificate Signing Request using the Client CA key generated in step 1,
req -new -sha256 -key <env>.<product>.<env>.key -subj "/C=<country>/ST=WP/O=<COMPANYNAME>/CN=orgsync.<env>.<product>.<env> -out <env>.<product>.<env>.csr
Eg: For dev environment,
OpenSSL > req -new -sha256 -key dev.<product>.dev.key -subj "/C=LK/ST=WP/O=<COMPANYNAME>/CN=dev.<product>.dev" -out dev.<product>.dev.csr
| Prompt |
Description |
| -sha256 |
The Certificate generated will be signed with SHA-256. |
| -key |
The Client CA key file generated in step 1 |
| -subj |
C= Two-letter abbreviation of Country name
for <COMPANYNAME>, this should be: US
ST= State or Province name
For <COMPANYNAME>, this should be: California
O= Name of the organization or Company
For <COMPANYNAME>, this should be <COMPANYNAME>, Inc.
CN= Either is a person responsible for the operation of the CA or a generic name representing the CA itself |
| -out |
This will specify the output filename |
Create Client Certificate using the CSR created in step 2 and the root CA created in Server Side Certificate Creation steps 1 and 2.
x509 -req -in <env>.<product>.<env>.csr -CA rootCa<env>.crt -CAkey rootCa<env>.key -CAcreateserial -out <env>.<product>.<env>.crt -days 365 -sha256
Eg: For the dev environment,
OpenSSL > x509 -req -in dev.ProductA.dev.csr -CA rootCaDev.crt -CAkey rootCaDev.key -CAcreateserial -out dev.ProductA.dev.crt -days 365 -sha256
You will be requested to enter a passphrase for the Server CA key.
Once the above passphrase is given a Certificate file will be created in the path of your open terminal.
mTLS communication certification
You can use this tool to create the required certificates and keys.
The above tool is created using bash and OpenSSL, and the above commands.