Setting up Mutual TLS authentication

  Last updated 2023-05-10

Mutual TLS (mTLS) is an additional layer of network connection security that is added on top of our existing TLS product. By default, the TLS protocol only requires a server to present a trusted certificate to the client. mTLS requires the client to also present a trusted certificate to the server. Instead of having to rely on traditional authentication methods like passwords or API keys, the server to client connection is secured using TLS certificates.

Prerequisites

To use mTLS, be sure you have the following prerequisites in place:

  • a paid account with a contract for Fastly's services.
  • an existing TLS activation consisting of valid domains, TLS configuration, and TLS certificate. The certificate may be either Fastly-managed or self-managed.
  • a .pem file containing one or more certificates certified by a certification authority (CA). This file is used as your chain of trust to verify the client certificates for your connection.

Setting up mTLS for the first time

Setting up mutual TLS authentication consists of uploading an mTLS certificate and defining the domains on which you want mTLS enforced.

To apply mTLS:

  1. Log in to the Fastly web interface and click the Secure link. The Secure page appears displaying an overview of Fastly's security offerings.
  2. Click the Manage certificates button. The TLS domains page appears displaying any domains for which TLS has been or can be activated.
  3. Click the Mutual TLS tab.
  4. Drag and drop your certificate file into the drag and drop area to upload your certificate file. Alternately, click the Browse for certificate file button to navigate to the file on your system using the file picker. The Mutual TLS certificate details page appears.
  5. In the Mutual TLS certificate name field, enter a name used to easily identify the certificate in the web interface.
  6. Leave the Require mTLS checkbox selected to enforce mTLS and only allow a connection when mTLS authentication is successful. Deselect the checkbox to allow a connection to proceed even if mTLS authentication fails.
  7. Click the Save and next button to continue.
  8. From the Add domains menu, select the active domains you want mTLS applied to. You can use the search box to search for domains by name, certificate, or TLS configuration.
  9. Click the Done button. A card for the new mTLS configuration is added to the Mutual TLS page.

Uploading additional mTLS certificates

You can upload additional mTLS certificates to apply mutual TLS authentication to your domains.

To upload additional certificates:

  1. Log in to the Fastly web interface and click the Secure link. The Secure page appears displaying an overview of Fastly's security offerings.
  2. Click the Manage certificates button. The TLS domains page appears displaying any domains for which TLS has been or can be activated.
  3. Click the Mutual TLS tab.
  4. Click the Upload mutual TLS certificate button. A file picker opens.
  5. Navigate to the file on your system using the file picker. The Mutual TLS certificate details page appears.
  6. In the Mutual TLS certificate name field, enter a name used to easily identify the certificate in the web interface.
  7. Leave the Require mTLS checkbox selected to enforce mTLS and only allow a connection when mTLS authentication is successful. Deselect the checkbox to allow a connection to proceed even if mTLS authentication fails.
  8. Click the Save and next button to continue.
  9. From the Add domains menu, select the active domains you want mTLS applied to. You can use the search box to search for domains by name, certificate, or TLS configuration.
  10. Click the Done button. A card for the new mTLS configuration is added to the Mutual TLS page.

Adding and removing domains

From the mTLS certificate details page, you can edit the domains on which mTLS is enforced.

To add domains:

  1. Log in to the Fastly web interface and click the Secure link. The Secure page appears displaying an overview of Fastly's security offerings.
  2. Click the Manage certificates button. The TLS domains page appears displaying any domains for which TLS has been or can be activated.
  3. Click the Mutual TLS tab.
  4. Click the View certificate details link. The Mutual TLS certificate details page appears.
  5. From the Add domains menu, select the active domains you want mTLS applied to. You can use the search box to search for domains by name, certificate, or TLS configuration.
  6. Click the Done button to save your changes.

To remove domains:

  1. Log in to the Fastly web interface and click the Secure link. The Secure page appears displaying an overview of Fastly's security offerings.
  2. Click the Manage certificates button. The TLS domains page appears displaying any domains for which TLS has been or can be activated.
  3. Click the Mutual TLS tab.
  4. Click the View certificate details link. The Mutual TLS certificate details page appears.
  5. Click the trash can icon next to the domain you want to remove.
  6. Click the Done button to save your changes.

Editing Mutual TLS certificate details

From the mTLS certificate details page, you can edit the authentication name and the mTLS enforcement option.

  1. Log in to the Fastly web interface and click the Secure link. The Secure page appears displaying an overview of Fastly's security offerings.
  2. Click the Manage certificates button. The TLS domains page appears displaying any domains for which TLS has been or can be activated.
  3. Click the Mutual TLS tab.
  4. Click the View certificate details link. The Mutual TLS certificate details page appears.
  5. Click the Back to certificate settings link.
  6. In the Mutual TLS certificate name field, enter a name used to easily identify the certificate in the web interface.
  7. Use the Require mTLS checkbox to determine whether mTLS is enforced. If selected, connections are only allowed when mTLS authentication is successful. If de-slected, connections proceed even if mTLS authentication fails.

Replacing an mTLS certificate

From the Mutual TLS page, you can replace the certificate used for mTLS.

To replace the certificate:

  1. Log in to the Fastly web interface and click the Secure link. The Secure page appears displaying an overview of Fastly's security offerings.
  2. Click the Manage certificates button. The TLS domains page appears displaying any domains for which TLS has been or can be activated.
  3. Click the Mutual TLS tab.
  4. Click the Replace link on the card for the mTLS configuration you want to update.
  5. Drag and drop your certificate file into the drag and drop area to upload your certificate file. Alternately, click the Browse for certificate file button to navigate to the file on your system using the file picker.
  6. Click the Submit button to save your changes.

Deleting an mTLS authentication

To delete an mTLS configuration, you must ensure there are no active domains on the mutual authentication. If there are, edit the configuration to remove the active domains before proceeding.

To delete an mTLS configuration:

  1. Log in to the Fastly web interface and click the Secure link. The Secure page appears displaying an overview of Fastly's security offerings.
  2. Click the Manage certificates button. The TLS domains page appears displaying any domains for which TLS has been or can be activated.
  3. Click the Mutual TLS tab.
  4. Click the trash can icon on the card for the mTLS configuration you want to update.
  5. Confirm that you want to delete the mutual authentication and then click the Delete button.
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support.