What Is mTLS And How It Works

We used to do secure communication over the internet using the widely adopted methods as TLS: Transport Layer Security is formerly known for better version SSL 3.0.

The attacks such as POODLE made the security protocol SSL 3.0 not secure anymore. All the users were informed to revoke using it in order to avoid compromising users' private information.

As an alternative and a better approach, mTLS(Mutual Transport Layer Security) was introduced. mTLS makes the client and server connections secure and trusted.

For example, cloud organizations have multiple products & multiple environments. There could be many security breaches and data exposure happens when communicating between these environments and across products. As a method of building trust between products and environments, mTLS can be used.

Let’s see how mTLS works

Consider there are 3 products product A, B, and C that communicates to a single resource. In this scenario, communications from each product to the resource can be authenticated using mTLS. Let's say a client certificate that authenticates the communication to the resource is installed in products A and B. Then communications from products A and B will be authenticated but traffic from product C will be denied since there is no client certificate installed in product C to authenticate.

 

(Referring to the above image, when all the authorization is completed the service which has the rootCA Certification will authorize any connection that comes with client certification. If it does not have the proper client cert which is not created using the rootCA will not be authorized.)

Let's see how we can create a rootCA and client cert with key,

Server-Side Certificate Creation

Generate the Server CA key

OpenSSL > genrsa -des3 -out rootCa”<env>.key 4096

Eg: For dev environment

OpenSSL > genrsa -des3 -out rootCaDev.key 4096

You will be requested to enter a passphrase. Use the following commands and generate a 20 digit passphrase. 

MacOS: pwgen -c -n -y -s -B -1 35 -r "\"'\`<>"

Ref - https://formulae.brew.sh/formula/pwgen 

Linux: pwgen -c -n -y -s -1 35 | sed -E "s/\"|<|>|\`|'/$(($RANDOM % 9))/g"

Ref - https://linuxconfig.org/how-to-use-a-command-line-random-password-generator-pwgen-on-linux 

(Your initial CA key will be generated and will be stored as rootCa<env>.key file in the path of the open terminal. You can view the CA key using any text editor.)

Create and self-sign the Root Certificate using the following command,

req -x509 -new -nodes -key rootCa<env>.key -sha256 -days 3650 -out rootCa<env>.crt

Eg: For Dev environment,

Openssl > req -x509 -new -nodes -key rootCa.key -sha256 -days 3650 -out rootCaDev.crt

(This command will prompt for the following information which will be contained in the certificate.)

Prompt Response
Country Name: Two-letter abbreviation of Country name
State or Province Name: State or Province name
Locality Name: City, Town, or Suburb name
Organization Name: Name of the organization or Company
Organizational Unit Name: The organizational name which should be a representation of the CA’s name
Common Name: Either be a person responsible for the operation of the CA or a generic name representing the CA itself
Email Address: An e-mail address that can be used to notify about concerns about certificates. This should be someone responsible for the CA. 
A challenge password []: -
An optional company name []: -

Once the above details are given a Certificate file will be created in the path of your open terminal. 

The CA key should be uploaded to a secured key vault along with the passphrase. 

Share ONLY the Certificate created among the relevant parties.

Client-Side Certificate Creation

Generate the Client certificate key,

genrsa -out <env>.<product>.<env>.key 2048

 Eg: For dev environment,

OpenSSL > genrsa -out dev.productA.dev.key 2048

2.2. Generate the Certificate Signing Request using the Client CA key generated in step 1,

req -new -sha256 -key <env>.<product>.<env>.key -subj "/C=<country>/ST=WP/O=<COMPANYNAME>/CN=orgsync.<env>.<product>.<env> -out <env>.<product>.<env>.csr

 Eg: For dev environment,

OpenSSL > req -new -sha256 -key dev.<product>.dev.key -subj "/C=LK/ST=WP/O=<COMPANYNAME>/CN=dev.<product>.dev" -out dev.<product>.dev.csr

Prompt Description
-sha256 The Certificate generated will be signed with SHA-256.
-key The Client CA key file generated in step 1
-subj  C= Two-letter abbreviation of Country name 
for <COMPANYNAME>, this should be: US
ST= State or Province name
For <COMPANYNAME>, this should be: California
O= Name of the organization or Company
For <COMPANYNAME>, this should be <COMPANYNAME>, Inc.
CN= Either is a person responsible for the operation of the CA or a generic name representing the CA itself
-out  This will specify the output filename

Create Client Certificate using the CSR created in step 2 and the root CA created in Server Side Certificate Creation steps 1 and 2.

x509 -req -in <env>.<product>.<env>.csr -CA rootCa<env>.crt -CAkey rootCa<env>.key -CAcreateserial -out <env>.<product>.<env>.crt -days 365 -sha256

 Eg: For the dev environment,

OpenSSL > x509 -req -in dev.ProductA.dev.csr -CA rootCaDev.crt -CAkey rootCaDev.key -CAcreateserial -out dev.ProductA.dev.crt -days 365 -sha256

You will be requested to enter a passphrase for the Server CA key. 

Once the above passphrase is given a Certificate file will be created in the path of your open terminal. 

mTLS communication certification

You can use this tool to create the required certificates and keys.

The above tool is created using bash and OpenSSL, and the above commands.