What is mTLS?

mTLS is a method for mutual authentication over network connections. The abbreviation mTLS stands for "mutual TLS". mTLS ensures the authenticity and integrity of the connecting parties at both ends of network connections via X.509 certificates. Technologically, the method is based on the TLS (Transport Layer Security) encryption protocol.

Myra Services on this topic: Automated management of SSL/TLS certificates powered by Myra Certificate Management

mTLS: a definition

Thanks to mTLS, the traffic between client and server is authenticated in both directions – this builds trust and improves security. To ensure the integrity of the connecting parties, X.509 certificates are used for mutual authentication. This extended TLS handshake is supported by TLS by default and is particularly suitable for zero-trust environments or for secure communication with IoT devices or APIs.

How does mTLS work?

In standard TLS connections, which are used to secure online banking, for example, only the server has a key pair consisting of a public and private key. The client merely verifies the server's TLS certificate to exchange data via the encrypted connection.

Establishing a connection via TLS

The client establishes a connection to the server
The server presents its TLS certificate
The server's certificate is verified by the client
Encrypted communication between client and server

With mTLS connections, on the other hand, the server AND client have a cryptographic key pair for mutual authentication. Additional steps are therefore required to establish the connection. For example, the client must now also present its certificate, which in turn is verified by the server. As soon as verification has been successful on both sides, data can be exchanged between client and server via the mTLS connection.

Establishing a connection via mTLS

The client establishes a connection to the server
The server presents its TLS certificate
The server's certificate is verified by the client
The client presents its TLS certificate to the server
The client's TLS certificate is verified by the server
The client gains access to the server if verification is successful
Encrypted communication between client and server

How are the certificates provided?

The certificates required for mutual authentication are provided by a central Certificate Authority (CA). In an enterprise context the CA is usually operated by the respective company itself. For this, the company requires a "root" TLS certificate. In contrast to conventional TLS connections, as are common on the free Internet, no external certification authority is therefore required here – the company can create the root certificate itself.

Where is mTLS used?

In general, mTLS is used whenever access to corporate networks and critical applications is to be secured with an additional security layer. In such scenarios, mTLS can be used to ensure that only clients that have the required certificate can establish a connection at all. This means that access points authenticated by a certificate are more secure than if they were using conventional security mechanisms such as password-protected accounts. Common attack methods such as credential stuffing, credential cracking, brute force, and even phishing will fail on mTLS-secured sites as long as the attackers do not have the respective certificates for the client. However, due to the additional effort that certificate management inevitably entails, mTLS is only suitable if critical resources are to be made available to a small/restricted circle of users. For public websites on the free Internet, mTLS is not an option.

mTLS: What you need to know

mTLS is a method for mutual authentication of network connections via X.509 certificates. In contrast to conventional security via TLS, with mTLS the client also sends out a certificate, which in turn must be verified by the server. This means that there is additional authentication for the client/visitor of the respective website. Only when the certificates have been successfully verified by both client and server, an encrypted data connection can be established via mTLS. This additional layer of protection means that content secured using mTLS is protected against a range of malicious attacks, including credential stuffing, credential cracking, brute force or phishing. In practice, mTLS is particularly suitable, for example, for sensitive web content intended for a firmly defined group of people. Since the method involves a considerable amount of work due to certificate management, deployment scenarios for public websites are not practical.

Myra's Security-as-a-Service solutions support the use of client certificates using mTLS. This enables customers to secure particularly critical web content with an additional layer of protection.

Want to learn more about our solutions, use cases and best practices for attack prevention? In our download area you will find product sheets, fact sheets, white papers and case studies.

To the download area

About the author

Stefan Bordel

Editor

About the author

Stefan Bordel has been working as an editor and technical writer at Myra Security since 2020. In this role, he is responsible for creating and maintaining website content, reports, whitepapers, social media content and documentation. This role allows him to bring his extensive experience in IT journalism and technical knowledge to an innovative cyber security company. Stefan previously worked at Ebner Verlag (formerly Neue Mediengesellschaft Ulm) for 7 years and joined the online editorial team at com! professional after working for Telecom Handel. He gained his first journalistic experience during various internships, including at the IT website Chip Online. As a passionate Linux user, he follows the IT scene closely, both privately and professionally.

Responsible Disclosure Legal notice Privacy policy Privacy Settings Terms and Conditions