Testing mTLS from client to edge

mTLS setup and testing

We announced the use of mutual TLS (mTLS). Since we offer protecting two domains with mTLS for free, quite a few customers have started using mTLS. We do receive a lot of questions on setting up and testing mTLS, and this article is meant to be a how-to guide.

Fastly’s current implementation of mTLS requires a Certification Authority (CA) bundle in order to determine if the server should trust the client. We define a CA bundle as one or more chains of trust or root certificates combined in one PEM file. For example, you can have the chain of trust for a public CA for customer A, and a private CA chain of trust for customer B combined into one CA Bundle. See further information in the Appendix.

In this guide, we will create a private CA, and issue a client certificate from that CA. We will load our CA bundle via Fastly’s console and configure our mTLS domain. We will test by installing the client certificate into the Chrome browser, or test via the curl command.

** Let’s make a private CA**

In this section, we are going to make a private CA that you can use to create client certificates to test. We will start by creating the private key for the CA, and then the client certificate(s). You will need to run these from a command line that has openssl installed. Our CA will be valid for 10 years, but you can choose however many -days works best for you. Remember to restrict access to your private key used to create your CA.

openssl genrsa 4096 > ca-key.pem

openssl req -new -x509 -nodes -days 3650 -key ca-key.pem > ca-cert.pem

Enter the information at the prompts (Country Name, State or province, Organizational Name, etc). These values do not matter that much.

You now have a key file and a root Certificate: ca-cert.pem , ca-key.pem

Now let’s use these to create a client certificate. Next create the client private key and the Certificate Signing Request (CSR). Then sign the CSR with your CA to create the certificate.

openssl req -newkey rsa:2048 -days 365 -nodes -keyout client-key1.pem > client-req.pem

openssl x509 -req -in client-req.pem -days 365 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 > client-cert1.pem

We now have:

Ca-cert.pem The CA certificate
Ca-key.pem The private key used to create the CA certificate (protect this file!)
Client-cert1.pem The client certificate used to make the connection
Client-key1.pem The private key used to create the CSR (protect this file!)
Client-req.pem The certificate signing request

If you are testing on a Mac, you need to convert into a .pfx format to import into your keychain. This caused me great pain and aggravation. I assume this is probably true for other platforms as well.

openssl pkcs12 -export -legacy -in client-cert1.pem -inkey client-key1.pem -out client-cert1.pfx

On a mac, drag client-cert1.pfx into your keychain to import it, or import it into your browser. Now go into your keychain and set the “Trust” to Always Trust. Double click on your certificate in Keychain, and set to trusted:

Now let’s set up your Fastly service

On https://manage.fastly.com, go to the Secure → TLS management → Mutual TLS tab. If you do not see a Mutual TLS tab, contact sales with your company ID number to get set up (remember, two domains are free). I will assume you have set up a domain and a service already.

On the Mutual TLS tab, we’ll drag our CA file for our “CA Bundle”.

Drag the “ca-cert.pem” file or browse to upload it. Next you can name it something for you to recognize easily:

I’ve unchecked the “Require MTLS”. This is best if not all of your clients support mTLS. Unchecked, if the client presents a client certificate, we will validate it and if it is trusted, mTLS will be used. If the client does not send a client certificate, we will establish a normal TLS connection. Having “Require MTLS” checked, forces the client to have a valid certificate in order to connect.

Click “Save and next”. Select which domain(s) you want protected with mTLS:

Using Chrome, and when I try to connect to my domain, I’m prompted for a client certificate to send. If you installed your certificate and keys properly, you should see your certificate in the dialog box which you can select. Once selecting the certificate, your mTLS connection will be established.

Appendix

Currently, Fastly mTLS will accept any valid certificate from a CA in the CA Bundle. We currently have a limit allowing up to 30 CAs in a bundle (total PEM file size cannot exceed 4096 KB). Using a public CA in this case isn’t the most secure because anyone can get a public client certificate to connect. Keep in mind that the more CA chains we need to search through to find if the certificate is trusted, the large DDoS vector you create. It takes processing time to iterate through a long chain, and if a massive number of connections come in all at once, it can take a long time to respond.