Overview
Standard TLS encrypts traffic and allows clients to verify the server’s identity. mTLS extends this by adding client authentication, which means the server also verifies the client’s identity before allowing the connection. mTLS complements but does not replace application-layer authentication methods like SSO and OIDC. It provides an additional security layer at the network level that satisfies zero-trust architecture requirements. The mTLS authentication process is essential if your organization needs to follow any of the following guidelines:- Operate under zero-trust security frameworks
- Have strict compliance requirements such as SOC2, ISO 27001, or HIPAA
- Restrict API access to specific authenticated services or devices
- Require network-layer security controls in addition to application authentication
- Enforce different trust policies for various environments (development, staging, production)
Common use cases
Use mTLS to perform the following functions:- Enterprise API security: Restrict Fusion API access to only authenticated services within your infrastructure. Services must present a valid client certificate signed by your organization’s certificate authority (CA).
- Multi-environment access control: Enforce different certificate requirements for development, staging, and production environments. Development might use self-signed certificates while production requires certificates from your enterprise public key infrastructure (PKI).
- Compliance and audit: Meet regulatory requirements for network-layer authentication. All client certificate usage is logged in Google Cloud Logging for audit purposes.
- Zero-trust architecture: Implement defense-in-depth security where every connection must be authenticated at both network and application layers.
Authentication flow
Fusion implements mTLS at the Google Cloud External Application Load Balancer level. The client certificate validation occurs before traffic reaches the Fusion cluster. This diagram illustrates the authentication process.
Prerequisites
This section describes the prerequisites to enable mTLS.Configure certificate infrastructure
Configure the following certificate aspects:- Certificate Authority (CA): Establish access to a trusted CA for signing client certificates
- Option 1: Use your organization’s existing PKI infrastructure
- Option 2: Use Google Cloud Certificate Authority Service (platform-managed)
- CA Certificate: Configure a privacy enhanced mail (PEM) encoded root or intermediate CA certificate to use as a trust anchor
- Client Certificates: Set up the ability to generate and distribute
PKCS#12(.p12) or PEM certificates to clients
Configure access and permissions
Grant the following access and permissions abilities:- Administrative access to the applicable Fusion environment
- Ability to upload CA certificates to Google Cloud
- Permissions to configure load balancer settings
Client capabilities
Ensure the following capabilities are in place:- Client configuration must support TLS 1.2 or later
- Client systems must be able to load and present client certificates
- For browser access, users need certificates imported to their browser’s certificate store
- For API access, applications need certificate configuration in their HTTP client
Configuration
This section contains the information to configure mTLS.Configuration steps
These are the high-level steps to configure mTLS.- Provide CA Certificate: Supply your organization’s CA certificate (PEM format) as a trust anchor.
- Configure TrustConfig: Load balancer TrustConfig is updated with your CA certificate.
- Enable mTLS Policy: Server TLS policy is set to
MTLSmode withREJECT_INVALIDvalidation. - Testing: Verify mTLS enforcement in a non-production environment first.
- Certificate Distribution: Distribute client certificates to your users and services.
- Production Rollout: Enable mTLS for production after successful testing.
Trust configuration options
Customer-managed certificate authority Use your organization’s existing certificate authority. You provide the CA certificate and manage client certificate issuance. This is the most common option for enterprises with established PKI.Using mTLS
Browser access
For users accessing the Fusion UI through a web browser:-
Import certificate: Import the
PKCS#12(.p12) certificate into your browser’s certificate store. These are the access paths for the specified browser:- Chrome/Edge: Settings > Privacy and security > Security > Manage certificates.
- Firefox: Settings > Privacy & Security > Certificates > View Certificates > Your Certificates > Import.
- Safari: Use the macOS Keychain Access to import the certificate.
- Access Fusion: Navigate to your Fusion URL.
- Certificate selection: Select the certificate provided by your administrator. If prompted, confirm the certificate usage.
- Authenticated access: When the certificate is validated, access Fusion.
API access
Use one of the following commands to configure applications and services making API requests to Fusion:- curl
- Python
- Java
- Node.js
Certificate management
Perform the following actions to manage certificates: Certificate expiration: Monitor certificate expiration dates and plan for renewal well in advance. Expired certificates will cause connection failures. Certificate rotation: Perform the following actions to rotate certificates without downtime:- Generate new certificates from the same CA.
- Distribute new certificates to clients.
- Clients update to use new certificates.
Old certificates remain valid during transition period.
- Remove old certificates after all clients have migrated.
- Revoke the certificate by updating the
TrustConfig. - Issue replacement certificates from the CA.
- Update all affected clients.
Security considerations
mTLS is one layer of security. Perform the following actions to maintain multiple security controls:- Application authentication: Continue using SSO, OIDC, or JWT tokens.
- Authorization: Enforce role-based access control (RBAC).
- Network security: Use IP
allowlistingwhere appropriate. - Data encryption: Confirm all traffic is encrypted via TLS 1.2+.
Certificate storage
Follow these guidelines for certificate storage:-
Protect private keys
- Never commit certificates or private keys to source control.
- Store certificates in secure key management systems such as HashiCorp Vault, AWS Secrets Manager, and others.
- Use environment variables or secure configuration files for deployment.
- Restrict file system permissions on certificate files such as
chmod 600.
-
Environment recommendations
Follow these guidelines to secure different environments:
- Use separate certificate authorities or intermediate CAs for different environments.
- Production certificates should have stricter issuance policies.
- Development/testing can use self-signed certificates if approved by security team.
Monitoring and logging
This section provides information and guidelines about mTLS event monitoring and logs: All mTLS authentication events are logged in Google Cloud Logging. The events include the following instances:- Successful certificate validations
- Failed authentication attempts
- Certificate validation errors
- Unusual patterns in failed authentication attempts
- Upcoming certificate expirations
- Certificate validation errors
Troubleshooting
This section provides potential issues and their corresponding resolutions.Connection refused or certificate errors
Symptom: Client receives connection refused or certificate validation error Common causes:- Client certificate not signed by trusted CA
- Certificate expired
- Certificate not properly configured in client
- Wrong certificate selected (browser)
- Certificate format mismatch (PEM vs PKCS#12)
- Verify the certificate is signed by the CA configured in
TrustConfig. - Check the certificate expiration date:
openssl x509 -in client-cert.pem -noout -dates. - Verify the certificate chain is complete:
openssl verify -CAfile ca-cert.pem client-cert.pem. - Test the certificate with curl:
curl -v --cert CLIENT_CERT.pem --key CLIENT_KEY.pem https://YOUR_INSTANCE.lucidworks.cloud.
Browser not prompting for certificate
Symptom: Browser doesn’t show certificate selection dialog Common causes:- Certificate not imported to browser certificate store
- Certificate imported to wrong store, for example, to the CA certificates instead of the client certificates
- Browser cached a previous certificate selection
- Verify the certificate is in browser’s personal/client certificate store.
- Clear the browser cache and cookies.
- Try a private or incognito window.
- Re-import the certificate, if necessary.
Certificate works in testing but not production
Symptom: Certificate validates in non-production but fails in production Common causes:- Different CA certificates configured per environment
- Certificate signed by wrong CA
TrustConfignot updated in production
- Verify the same CA certificate is configured in both environments.
- Check the certificate’s issuer:
openssl x509 -in CLIENT_CERT.pem -noout -issuer. - Verify the
TrustConfigsettings.
Application cannot load certificate
Symptom: Application error loading certificate file Common causes:- Incorrect file path
- Insufficient file permissions
- Certificate format not supported by library
- Missing intermediate certificates
- Verify the file exists and is readable:
ls -la CLIENT_CERT.pem. - Check the certificate’s format:
openssl x509 -in CLIENT_CERT.pem -noout -text. - For PKCS#12, verify the password is correct.
- Ensure the certificate chain includes all intermediate certificates.
- Convert between formats if needed:
- PEM to PKCS#12:
openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem - PKCS#12 to PEM:
openssl pkcs12 -in cert.p12 -out cert.pem -nodes
- PEM to PKCS#12:
Frequently asked questions
This section contains commonly-asked questions and their corresponding answers. Does mTLS replace application authentication? No. mTLS provides network-layer authentication but does not replace application-layer authentication methods like SSO, OIDC, or API tokens. Both layers should be used for defense in depth. Can I use mTLS with IPallowlisting?
Yes. mTLS and IP allowlisting are complementary security controls. You can use both simultaneously for enhanced security.
What happens if a certificate expires during business hours?
Clients with expired certificates will be unable to connect. Monitor certificate expiration dates and renew well in advance. Most organizations set up automated alerts 30-60 days before expiration.
Can I use different CAs for different groups of clients?
Yes. The TrustConfig can include multiple CA certificates as trust anchors. This allows different departments or environments to use separate CAs while accessing the same Fusion instance.
How do I handle certificate distribution to multiple users?
Organizations typically use the following devices, applications, and features:
- Mobile Device Management (MDM) systems for employee devices
- Configuration management tools for servers such as Ansible, Puppet, and Chef
- Secure file sharing with password-protected archives
- Hardware security modules (HSMs) or smart cards for high-security environments
Related topics
For more information, see the following topics:- Security Overview for comprehensive security features
- Access Control for user authentication and authorization
- Security Realms for authentication providers
- Monitoring for monitoring and alerting