Using mTLS for your Organization
We used to do secure communication over the internet using the widely adopted methods as TLS: Transport Layer Security is formerly known for the better version SSL 3.0.
The attacks such as POODLE made the security protocol SSL 3.0 not secure anymore. All the users were informed to revoke using it in order to avoid compromising users’ private information.
As an alternative and a better approach, mTLS (Mutual Transport Layer Security) was introduced. mTLS makes the client and server connections secure and trusted.
For example, cloud organizations have multiple products and multiple environments. There could be many security breaches and data exposure when communicating between these environments and across products. As a method of building trust between products and environments, mTLS can be used.
How mTLS works
Consider there are 3 products (product A, B, and C) that communicate to a single resource. In this scenario, communications from each product to the resource can be authenticated using mTLS. Say a client certificate that authenticates the communication to the resource is installed in products A and B. Then communications from products A and B will be authenticated, but traffic from product C will be denied since there is no client certificate installed in product C to authenticate.
When all the authorization is completed, the service which has the rootCA certification will authorize any connection that comes with client certification. If it does not have the proper client cert (one not created using the rootCA), it will not be authorized.
Let’s see how we can create a rootCA and a client cert with key.
Server side certificate creation
Generate the Server CA key
openssl genrsa -des3 -out rootCa<env>.key 4096Eg: for the dev environment
openssl genrsa -des3 -out rootCaDev.key 4096You will be requested to enter a passphrase. Use the following commands to generate a strong passphrase.
macOS:
pwgen -c -n -y -s -B -1 35 -r "\"'\`<>"Ref: https://formulae.brew.sh/formula/pwgen
Linux:
pwgen -c -n -y -s -1 35 | sed -E "s/\"|<|>|\`|'/$(($RANDOM % 9))/g"Ref: https://linuxconfig.org/how-to-use-a-command-line-random-password-generator-pwgen-on-linux
Your initial CA key will be generated and stored as a rootCa<env>.key file in the path of the open terminal. You can view the CA key using any text editor.
Create and self sign the root certificate using the following command:
openssl req -x509 -new -nodes -key rootCa<env>.key -sha256 -days 3650 -out rootCa<env>.crtEg: for the dev environment,
openssl req -x509 -new -nodes -key rootCaDev.key -sha256 -days 3650 -out rootCaDev.crtThis command will prompt for the following information, which will be contained in the certificate:
| Prompt | Response |
|---|---|
| Country Name | Two letter abbreviation of country name |
| State or Province Name | State or province name |
| Locality Name | City, town, or suburb name |
| Organization Name | Name of the organization or company |
| Organizational Unit Name | A representation of the CA’s name |
| Common Name | A person responsible for the operation of the CA, or a generic name representing the CA itself |
| Email Address | An address to notify about concerns regarding certificates, someone responsible for the CA |
Once the above details are given, a certificate file will be created in the path of your open terminal.
The CA key should be uploaded to a secured key vault along with the passphrase. Share only the certificate created among the relevant parties.
Client side certificate creation
Generate the client certificate key:
openssl genrsa -out <env>.<product>.<env>.key 2048Eg: for the dev environment,
openssl genrsa -out dev.productA.dev.key 2048Generate the Certificate Signing Request using the client CA key generated above:
openssl req -new -sha256 -key <env>.<product>.<env>.key -subj "/C=<country>/ST=WP/O=<COMPANYNAME>/CN=<env>.<product>.<env>" -out <env>.<product>.<env>.csrEg: for the dev environment,
openssl req -new -sha256 -key dev.productA.dev.key -subj "/C=LK/ST=WP/O=<COMPANYNAME>/CN=dev.productA.dev" -out dev.productA.dev.csr| Flag | Description |
|---|---|
-sha256 | The certificate generated will be signed with SHA-256 |
-key | The client CA key file generated in the previous step |
-subj | C= two letter country code, ST= state/province, O= organization, CN= the CA operator or a generic name representing the CA |
-out | Specifies the output filename |
Create the client certificate using the CSR and the root CA created in the server side steps:
openssl x509 -req -in <env>.<product>.<env>.csr -CA rootCa<env>.crt -CAkey rootCa<env>.key -CAcreateserial -out <env>.<product>.<env>.crt -days 365 -sha256Eg: for the dev environment,
openssl x509 -req -in dev.productA.dev.csr -CA rootCaDev.crt -CAkey rootCaDev.key -CAcreateserial -out dev.productA.dev.crt -days 365 -sha256You will be requested to enter the passphrase for the Server CA key. Once given, a certificate file will be created in the path of your open terminal.
mTLS communication certification
You can use this tool to create the required certificates and keys. It is built using Bash and OpenSSL, wrapping the commands above into a repeatable workflow.