Key visual mtls

What is mTLS?

mTLS is a method for mutual authentication over network connections. The abbreviation mTLS stands for "mutual TLS". mTLS ensures the authenticity and integrity of the connecting parties at both ends of network connections via X.509 certificates. Technologically, the method is based on the TLS (Transport Layer Security) encryption protocol.

Myra Services on this topic: Automated management of SSL/TLS certificates powered by Myra Certificate Management
Laptop with cryptic code on the screen


mTLS: a definition

Thanks to mTLS, the traffic between client and server is authenticated in both directions – this builds trust and improves security. To ensure the integrity of the connecting parties, X.509 certificates are used for mutual authentication. This extended TLS handshake is supported by TLS by default and is particularly suitable for zero-trust environments or for secure communication with IoT devices or APIs.


How does mTLS work?  

In standard TLS connections, which are used to secure online banking, for example, only the server has a key pair consisting of a public and private key. The client merely verifies the server's TLS certificate to exchange data via the encrypted connection.

Functionality TLS

Establishing a connection via TLS

  1. The client establishes a connection to the server

  2. The server presents its TLS certificate

  3. The server's certificate is verified by the client

  4. Encrypted communication between client and server

With mTLS connections, on the other hand, the server AND client have a cryptographic key pair for mutual authentication. Additional steps are therefore required to establish the connection. For example, the client must now also present its certificate, which in turn is verified by the server. As soon as verification has been successful on both sides, data can be exchanged between client and server via the mTLS connection.

Functionality mtls

Establishing a connection via mTLS

  1. The client establishes a connection to the server

  2. The server presents its TLS certificate

  3. The server's certificate is verified by the client

  4. The client presents its TLS certificate to the server

  5. The client's TLS certificate is verified by the server

  6. The client gains access to the server if verification is successful

  7. Encrypted communication between client and server


How are the certificates provided? 

The certificates required for mutual authentication are provided by a central Certificate Authority (CA). In an enterprise context the CA is usually operated by the respective company itself. For this, the company requires a "root" TLS certificate. In contrast to conventional TLS connections, as are common on the free Internet, no external certification authority is therefore required here – the company can create the root certificate itself.


Where is mTLS used?

In general, mTLS is used whenever access to corporate networks and critical applications is to be secured with an additional security layer. In such scenarios, mTLS can be used to ensure that only clients that have the required certificate can establish a connection at all. This means that access points authenticated by a certificate are more secure than if they were using conventional security mechanisms such as password-protected accounts. Common attack methods such as credential stuffing, credential cracking, brute force, and even phishing will fail on mTLS-secured sites as long as the attackers do not have the respective certificates for the client. However, due to the additional effort that certificate management inevitably entails, mTLS is only suitable if critical resources are to be made available to a small/restricted circle of users. For public websites on the free Internet, mTLS is not an option.

Code on a screen


mTLS: What you need to know

mTLS is a method for mutual authentication of network connections via X.509 certificates. In contrast to conventional security via TLS, with mTLS the client also sends out a certificate, which in turn must be verified by the server. This means that there is additional authentication for the client/visitor of the respective website. Only when the certificates have been successfully verified by both client and server, an encrypted data connection can be established via mTLS. This additional layer of protection means that content secured using mTLS is protected against a range of malicious attacks, including credential stuffing, credential cracking, brute force or phishing. In practice, mTLS is particularly suitable, for example, for sensitive web content intended for a firmly defined group of people. Since the method involves a considerable amount of work due to certificate management, deployment scenarios for public websites are not practical.

Myra's Security-as-a-Service solutions support the use of client certificates using mTLS. This enables customers to secure particularly critical web content with an additional layer of protection.