Setting up Mutual TLS authentication

  Last updated 2025-03-03

Mutual TLS (mTLS) is an additional layer of network connection security that is added on top of our existing TLS product. By default, the TLS protocol only requires a server to present a trusted certificate to the client. mTLS requires the client to also present a trusted certificate to the server. Instead of having to rely on traditional authentication methods like passwords or API keys, the server to client connection is secured using TLS certificates.

TIP

Are you looking for information on applying TLS on connections between Fastly and your origin? Refer to our Working with hosts guide.

Prerequisites

To use mTLS, be sure you have the following prerequisites in place:

  • a paid account with a contract for Fastly's services.
  • an existing TLS activation consisting of valid domains, a TLS configuration with the relevant domains added, and TLS certificate. The certificate may be either Fastly-managed or self-managed.
  • a .pem file containing one or more certificates certified by a certification authority (CA). This file is used as your chain of trust to verify the client certificates for your connection.
NOTE

mTLS is supported on Compute services for origins configured via Dynamic Backends. To set up mTLS for Compute services with static backends, contact Fastly Support.

Important considerations

You can have multiple root or intermediate certificates as long as they are combined into one certificate bundle (.pem file). However, if you have multiple SANs on your server-side certificate, it's best to separate the mTLS domains from your standard TLS certificates. Otherwise, some browsers will reuse the standard TLS connection and thereby bypass mTLS.

Setting up mTLS for the first time

Setting up mutual TLS authentication consists of uploading an mTLS certificate and defining the domains you want to secure with mTLS. You can enforce an mTLS connection on all requests to your domains, denying a connection if a valid certificate isn't presented. Or, you can allow connections to proceed whether or not the mTLS connection is successful. The latter option let's you secure sensitive communications with mTLS while still allowing less sensitive data to be transmitted over non-mTLS connections, which can be useful as you transition to using mTLS.

To apply mTLS:

  1. Log in to the Fastly control panel.

  2. Go to Security > TLS management > Mutual TLS.

  3. Drag and drop your certificate file into the drag and drop area to upload your certificate file. Alternately, click Browse for certificate file to navigate to the file on your system using the file picker. The Mutual TLS certificate details page appears.

  4. In the Mutual TLS certificate name field, enter a name used to easily identify the certificate or certificate bundle in the Fastly control panel.

  5. Do one of the following:

    • Leave the Require mTLS checkbox selected to enforce mTLS and only allow a connection when mTLS authentication is successful.
    • Deselect the checkbox to allow a connection to proceed even if mTLS authentication fails. Useful when transitioning to using mTLS and required to log or track requests sent without a client certificate.

  6. Click Save and next to continue.

  7. From the Add domains menu, select the active domains you want mTLS applied to. You can use the search box to search for domains by name, certificate, or TLS configuration.

  8. Click Done. A card for the new mTLS configuration is added to the Mutual TLS page.

Uploading additional mTLS certificates

You can upload additional mTLS certificates to apply mutual TLS authentication to your domains.

To upload additional certificates:

  1. Log in to the Fastly control panel.
  2. Go to Security > TLS management > Mutual TLS.
  3. Click Upload mutual TLS certificate.
  4. Navigate to the .pem that contains the certificate or certificate bundle. This file is used as your chain of trust to verify the client certificates for your connection.
  5. In the Mutual TLS certificate name field, enter a name used to easily identify the certificate in the web interface.
  6. Leave the Require mTLS checkbox selected to enforce mTLS and only allow a connection when mTLS authentication is successful. Deselect the checkbox to allow a connection to proceed even if mTLS authentication fails.
  7. Click Save and next to continue.
  8. From the Add domains menu, select the active domains you want mTLS applied to. You can use the search box to search for domains by name, certificate, or TLS configuration.
  9. Click Done. A card for the new mTLS configuration is added to the Mutual TLS page.

Adding and removing domains

From the mTLS certificate details page, you can edit the domains on which mTLS is enforced.

To add domains:

  1. Log in to the Fastly control panel.
  2. Go to Security > TLS management > Mutual TLS.
  3. Click View certificate details.
  4. From the Add domains menu, select the active domains you want mTLS applied to. You can use the search box to search for domains by name, certificate, or TLS configuration.
  5. Click Done to save your changes.

To remove domains:

  1. Log in to the Fastly control panel.
  2. Go to Security > TLS management > Mutual TLS.
  3. Click View certificate details.
  4. Click the trash Trash icon next to the domain you want to remove.
  5. Click Done to save your changes.

Editing Mutual TLS certificate details

From the mTLS certificate details page, you can edit the authentication name and the mTLS enforcement option.

  1. Log in to the Fastly control panel.
  2. Go to Security > TLS management > Mutual TLS.
  3. Click View certificate details.
  4. Click Back to certificate settings.
  5. In the Mutual TLS certificate name field, enter a name used to easily identify the certificate in the web interface.
  6. Use the Require mTLS checkbox to determine whether mTLS is enforced. If selected, connections are only allowed when mTLS authentication is successful. If de-slected, connections proceed even if mTLS authentication fails.

Replacing an mTLS certificate

From the Mutual TLS page, you can replace the certificate used for mTLS.

To replace the certificate:

  1. Log in to the Fastly control panel.
  2. Go to Security > TLS management > Mutual TLS.
  3. Click Replace on the card for the mTLS configuration you want to update.
  4. Drag and drop your certificate file into the drag and drop area to upload your certificate file. Alternately, click Browse for certificate file to navigate to the file on your system using the file picker.
  5. Click Submit to save your changes.

Deleting an mTLS authentication

To delete an mTLS configuration, you must ensure there are no active domains on the mutual authentication. If there are, edit the configuration to remove the active domains before proceeding.

To delete an mTLS configuration:

  1. Log in to the Fastly control panel.
  2. Go to Security > TLS management > Mutual TLS.
  3. Click the trash Trash icon on the card for the mTLS configuration you want to update.
  4. Confirm that you want to delete the mutual authentication and then click Delete.
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Fastly
© Fastly 2025