How to generate keys and certificates files for TLS mutual authentication?

Introduction

Mutual authentication (or two-way authentication) refers to two parties authenticating each other through verifying the provided digital certificate so that both parties are assured of the others' identity. With mutual authentication, a connection can occur only when the client trusts the server's digital certificate and the server trusts the client's certificate.

TLS mutual authentication provides:

  • an encrypted communication (like TLS with no mutual authentication)
  • an authentication mechanism (to control who can join the cluster) based on certificate authenticity, coupled with certificate CN (Common Name) / SAN (Subject Alternative Name) field validation:
    • like TLS with no mutual authentication, the client authenticates the server by checking if
      • the server certificate is signed through a root CA recognized by the client
      • the server certificate CN/SAN corresponds to the IP or hostname used by the client to initiate the connexion
    • only for TLS mutual authentication, the server authenticates the client by checking if the client certification is signed through a root CA recognized by the server

To implement mutual authentication, each host participating to the TLS communication must have:

  • the CA certificate which will be used to verify that received certificates are generated by the expected CA
  • a keypair (public/private key) with a signed certificate from the CA to prove the ownership of a the public key

How to generate keypair and certificates

The following options are available, in preference order:

Using an existing CA

If you have already an existing CA infrastructure that can be used to generate the adequate keys and certificates in the required format, then just use it. 

Using key generation and signing tools

If you have good knowledge of such tools (like OpenSSL, Java keytool, KeyStore Explorer, ....), we assume you are able to use them to handle the CA, generate private keys, sign them and export keys and certificate in the required format.

Using the KeyStore Manager tool

Axway provides the KeyStore Manager tool in case the previous options are not available for you. More information are available on KeyStore Manager user guide.

Related Links