Documentation Index
Fetch the complete documentation index at: https://notes.kodekloud.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
Mutual TLS (mTLS) enhances standard TLS by providing two-way authentication between client and server. In this lesson, we’ll:- Review one-way TLS (server-only authentication).
- Introduce mTLS handshake flows.
- Demonstrate how to generate certificates with OpenSSL.
- Explore securing pod-to-pod traffic in Kubernetes.
Recap: One-Way TLS (Server Authentication)
When you visit an HTTPS website—like your online bank—the browser and server establish an encrypted channel using asymmetric and symmetric cryptography.- Client requests the server’s certificate.
- Server sends its public certificate, signed by a trusted Certificate Authority (CA).
- Browser verifies the certificate against its trust store (public keys of known CAs).
- Browser generates a random symmetric key, encrypts it with the server’s public key, and sends it to the server.
- Server decrypts the symmetric key with its private key.
- Both parties use the symmetric key to encrypt application data.
One-way TLS ensures confidentiality and server authenticity but relies on application-layer credentials (usernames, passwords) to authenticate the client.
TLS Handshake Steps
| Step | Description |
|---|---|
| 1 | Client → Server: “Send me your certificate.” |
| 2 | Server → Client: “Server Certificate signed by CA.” |
| 3 | Client: Validate certificate chain using CA public key from trust store. |
| 4 | Client → Server: “Here’s a symmetric key, encrypted with your public key.” |
| 5 | Server: Decrypt symmetric key with its private key. |
| 6 | Both: “All data now encrypted with this symmetric key.” |
Mutual TLS (mTLS) Handshake
In mTLS, both sides present certificates. This is ideal for machine-to-machine communications—such as two services exchanging confidential data—without human credentials.Why Use mTLS?
| Benefit | Description |
|---|---|
| Strong Mutual Authentication | Both client and server verify each other’s identities. |
| Automated Trust Management | Certificates can be rotated and validated automatically. |
| Defense in Depth | Prevents unauthorized services from connecting, even if they know the endpoint. |
Ensure your CA certificates are stored securely and rotated regularly to prevent unauthorized access.
mTLS Handshake Sequence
| Step | Client → Server | Server → Client |
|---|---|---|
| 1 | “Send me your certificate.” | |
| 2 | “Here’s my certificate. Now send yours.” | |
| 3 | Validate server certificate via CA. | |
| 4 | “Here’s my certificate + encrypted symmetric key.” | |
| 5 | Validate client certificate via CA. | |
| 6 | Mutual authentication complete. | Mutual authentication complete. |
| 7 | Both: Encrypt all further communication with the shared symmetric key. |
Generating mTLS Certificates with OpenSSL
Below is a sample workflow to create a root CA, a server certificate, and a client certificate.Securing Pod-to-Pod Communication in Kubernetes
In a Kubernetes cluster, you can enforce mTLS between services using service meshes like Istio or Linkerd. These platforms automate certificate issuance, rotation, and mutual authentication.| Service Mesh | mTLS Support | Key Features |
|---|---|---|
| Istio | Built-in | Policy-driven security, telemetry, routing. |
| Linkerd | Built-in | Lightweight, auto-mTLS, simple configuration. |
Links and References
- Kubernetes Documentation: TLS Setup
- Istio Security Concepts
- Linkerd mTLS Guide
- RFC 5246: TLS 1.2 Specification