Skip to main content
Mutual Transport Layer Security (mTLS) provides network-layer authentication for Fusion by requiring both the client and server to present valid certificates during the TLS connection process. This feature ensures that only trusted, certificate-authenticated clients can access Fusion APIs and UI endpoints.

Overview

Standard TLS encrypts traffic and allows clients to verify the server’s identity. mTLS extends this by adding client authentication, which means the server also verifies the client’s identity before allowing the connection. mTLS complements but does not replace application-layer authentication methods like SSO and OIDC. It provides an additional security layer at the network level that satisfies zero-trust architecture requirements. The mTLS authentication process is essential if your organization needs to follow any of the following guidelines:
  • Operate under zero-trust security frameworks
  • Have strict compliance requirements such as SOC2, ISO 27001, or HIPAA
  • Restrict API access to specific authenticated services or devices
  • Require network-layer security controls in addition to application authentication
  • Enforce different trust policies for various environments (development, staging, production)

Common use cases

Use mTLS to perform the following functions:
  • Enterprise API security: Restrict Fusion API access to only authenticated services within your infrastructure. Services must present a valid client certificate signed by your organization’s certificate authority (CA).
  • Multi-environment access control: Enforce different certificate requirements for development, staging, and production environments. Development might use self-signed certificates while production requires certificates from your enterprise public key infrastructure (PKI).
  • Compliance and audit: Meet regulatory requirements for network-layer authentication. All client certificate usage is logged in Google Cloud Logging for audit purposes.
  • Zero-trust architecture: Implement defense-in-depth security where every connection must be authenticated at both network and application layers.

Authentication flow

Fusion implements mTLS at the Google Cloud External Application Load Balancer level. The client certificate validation occurs before traffic reaches the Fusion cluster. This diagram illustrates the authentication process.
mTLS and TLS service flow

Prerequisites

This section describes the prerequisites to enable mTLS.

Configure certificate infrastructure

Configure the following certificate aspects:
  • Certificate Authority (CA): Establish access to a trusted CA for signing client certificates
    • Option 1: Use your organization’s existing PKI infrastructure
    • Option 2: Use Google Cloud Certificate Authority Service (platform-managed)
  • CA Certificate: Configure a privacy enhanced mail (PEM) encoded root or intermediate CA certificate to use as a trust anchor
  • Client Certificates: Set up the ability to generate and distribute PKCS#12 (.p12) or PEM certificates to clients

Configure access and permissions

Grant the following access and permissions abilities:
  • Administrative access to the applicable Fusion environment
  • Ability to upload CA certificates to Google Cloud
  • Permissions to configure load balancer settings

Client capabilities

Ensure the following capabilities are in place:
  • Client configuration must support TLS 1.2 or later
  • Client systems must be able to load and present client certificates
  • For browser access, users need certificates imported to their browser’s certificate store
  • For API access, applications need certificate configuration in their HTTP client

Configuration

This section contains the information to configure mTLS.

Configuration steps

These are the high-level steps to configure mTLS.
  1. Provide CA Certificate: Supply your organization’s CA certificate (PEM format) as a trust anchor.
  2. Configure TrustConfig: Load balancer TrustConfig is updated with your CA certificate.
  3. Enable mTLS Policy: Server TLS policy is set to MTLS mode with REJECT_INVALID validation.
  4. Testing: Verify mTLS enforcement in a non-production environment first.
  5. Certificate Distribution: Distribute client certificates to your users and services.
  6. Production Rollout: Enable mTLS for production after successful testing.

Trust configuration options

Customer-managed certificate authority Use your organization’s existing certificate authority. You provide the CA certificate and manage client certificate issuance. This is the most common option for enterprises with established PKI.
Plan certificate distribution carefully before enabling mTLS. All clients must have valid certificates before enforcement begins, or they will be unable to connect.

Using mTLS

Browser access

For users accessing the Fusion UI through a web browser:
  1. Import certificate: Import the PKCS#12 (.p12) certificate into your browser’s certificate store. These are the access paths for the specified browser:
    • Chrome/Edge: Settings > Privacy and security > Security > Manage certificates.
    • Firefox: Settings > Privacy & Security > Certificates > View Certificates > Your Certificates > Import.
    • Safari: Use the macOS Keychain Access to import the certificate.
  2. Access Fusion: Navigate to your Fusion URL.
  3. Certificate selection: Select the certificate provided by your administrator. If prompted, confirm the certificate usage.
  4. Authenticated access: When the certificate is validated, access Fusion.

API access

Use one of the following commands to configure applications and services making API requests to Fusion:
# Use PEM certificate and key
curl -X GET \
  --cert CLIENT_CERT.pem \
  --key CLIENT_KEY.pem \
  https://YOUR_INSTANCE.lucidworks.cloud/api/apps

# Use PKCS#12 certificate
curl -X GET \
  --cert-type P12 \
  --cert CLIENT_CERT.p12:PASSWORD \
  https://YOUR_INSTANCE.lucidworks.cloud/api/apps

Certificate management

Perform the following actions to manage certificates: Certificate expiration: Monitor certificate expiration dates and plan for renewal well in advance. Expired certificates will cause connection failures. Certificate rotation: Perform the following actions to rotate certificates without downtime:
  1. Generate new certificates from the same CA.
  2. Distribute new certificates to clients.
  3. Clients update to use new certificates.
Old certificates remain valid during transition period.
  1. Remove old certificates after all clients have migrated.
Revocation: Perform the following actions if a certificate is compromised:
  1. Revoke the certificate by updating the TrustConfig.
  2. Issue replacement certificates from the CA.
  3. Update all affected clients.

Security considerations

mTLS is one layer of security. Perform the following actions to maintain multiple security controls:
  • Application authentication: Continue using SSO, OIDC, or JWT tokens.
  • Authorization: Enforce role-based access control (RBAC).
  • Network security: Use IP allowlisting where appropriate.
  • Data encryption: Confirm all traffic is encrypted via TLS 1.2+.

Certificate storage

Follow these guidelines for certificate storage:
  • Protect private keys
    • Never commit certificates or private keys to source control.
    • Store certificates in secure key management systems such as HashiCorp Vault, AWS Secrets Manager, and others.
    • Use environment variables or secure configuration files for deployment.
    • Restrict file system permissions on certificate files such as chmod 600.
  • Environment recommendations Follow these guidelines to secure different environments:
    • Use separate certificate authorities or intermediate CAs for different environments.
    • Production certificates should have stricter issuance policies.
    • Development/testing can use self-signed certificates if approved by security team.

Monitoring and logging

This section provides information and guidelines about mTLS event monitoring and logs: All mTLS authentication events are logged in Google Cloud Logging. The events include the following instances:
  • Successful certificate validations
  • Failed authentication attempts
  • Certificate validation errors
Configure alerts for the following events:
  • Unusual patterns in failed authentication attempts
  • Upcoming certificate expirations
  • Certificate validation errors

Troubleshooting

This section provides potential issues and their corresponding resolutions.

Connection refused or certificate errors

Symptom: Client receives connection refused or certificate validation error Common causes:
  • Client certificate not signed by trusted CA
  • Certificate expired
  • Certificate not properly configured in client
  • Wrong certificate selected (browser)
  • Certificate format mismatch (PEM vs PKCS#12)
Resolution:
  1. Verify the certificate is signed by the CA configured in TrustConfig.
  2. Check the certificate expiration date: openssl x509 -in client-cert.pem -noout -dates.
  3. Verify the certificate chain is complete: openssl verify -CAfile ca-cert.pem client-cert.pem.
  4. Test the certificate with curl: curl -v --cert CLIENT_CERT.pem --key CLIENT_KEY.pem https://YOUR_INSTANCE.lucidworks.cloud.

Browser not prompting for certificate

Symptom: Browser doesn’t show certificate selection dialog Common causes:
  • Certificate not imported to browser certificate store
  • Certificate imported to wrong store, for example, to the CA certificates instead of the client certificates
  • Browser cached a previous certificate selection
Resolution:
  1. Verify the certificate is in browser’s personal/client certificate store.
  2. Clear the browser cache and cookies.
  3. Try a private or incognito window.
  4. Re-import the certificate, if necessary.

Certificate works in testing but not production

Symptom: Certificate validates in non-production but fails in production Common causes:
  • Different CA certificates configured per environment
  • Certificate signed by wrong CA
  • TrustConfig not updated in production
Resolution:
  1. Verify the same CA certificate is configured in both environments.
  2. Check the certificate’s issuer: openssl x509 -in CLIENT_CERT.pem -noout -issuer.
  3. Verify the TrustConfig settings.

Application cannot load certificate

Symptom: Application error loading certificate file Common causes:
  • Incorrect file path
  • Insufficient file permissions
  • Certificate format not supported by library
  • Missing intermediate certificates
Resolution:
  1. Verify the file exists and is readable: ls -la CLIENT_CERT.pem.
  2. Check the certificate’s format: openssl x509 -in CLIENT_CERT.pem -noout -text.
  3. For PKCS#12, verify the password is correct.
  4. Ensure the certificate chain includes all intermediate certificates.
  5. Convert between formats if needed:
    • PEM to PKCS#12: openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem
    • PKCS#12 to PEM: openssl pkcs12 -in cert.p12 -out cert.pem -nodes

Frequently asked questions

This section contains commonly-asked questions and their corresponding answers. Does mTLS replace application authentication? No. mTLS provides network-layer authentication but does not replace application-layer authentication methods like SSO, OIDC, or API tokens. Both layers should be used for defense in depth. Can I use mTLS with IP allowlisting? Yes. mTLS and IP allowlisting are complementary security controls. You can use both simultaneously for enhanced security. What happens if a certificate expires during business hours? Clients with expired certificates will be unable to connect. Monitor certificate expiration dates and renew well in advance. Most organizations set up automated alerts 30-60 days before expiration. Can I use different CAs for different groups of clients? Yes. The TrustConfig can include multiple CA certificates as trust anchors. This allows different departments or environments to use separate CAs while accessing the same Fusion instance. How do I handle certificate distribution to multiple users? Organizations typically use the following devices, applications, and features:
  • Mobile Device Management (MDM) systems for employee devices
  • Configuration management tools for servers such as Ansible, Puppet, and Chef
  • Secure file sharing with password-protected archives
  • Hardware security modules (HSMs) or smart cards for high-security environments
Does mTLS impact performance? The mTLS connection process adds minimal latency, which is typically measured in sub-milliseconds. After the initial connection, there is no performance impact on data transfer. The mTLS session resumption can further reduce connection overhead for repeat connections. Can I test mTLS before enabling in production? Yes. Lucidworks strongly recommends testing mTLS in a non-production environment first. Configure mTLS in a staging environment before production rollout. For more information, see the following topics: