How to Enable SSL/TLS Client Certificates (Mutual TLS/mTLS)

Unito signs HTTPS requests to APIs using a two-step process with TLS certificates (Mutual TLS/mTLS) for enhanced authenticity verification. Here's how.

As an additional layer security, Unito can sign all HTTPS requests to APIs using a two-step process with TLS certficates. This is especially beneficial for customers hosting on-premise instances of their tools (e.g. Jira or GitHub Enterprise).

Our client certificates are signed by our own Certificate Authority (CA). So you'll need to explicitly authorize either our client certificate or our CA certificate.

You can do this by copying the code blocks below. Our certificates use RSA + SHA256 ciphers and 4096-bit keys.

You can then contact us to enable SSL client certificates for your server.

A typical method to implement this process is through this nginx configuration.

Client certificate

-----BEGIN CERTIFICATE-----
MIIFqjCCA5KgAwIBAgIBATANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJDQTEL
MAkGA1UECAwCUUMxETAPBgNVBAcMCE1vbnRyZWFsMRMwEQYDVQQKDApVbml0byBJ
bmMuMREwDwYDVQQDDAhVbml0by1DQTEcMBoGCSqGSIb3DQEJARYNaW5mb0B1bml0
by5pbzAeFw0xNjA1MjMwMzE1NTFaFw0zNjA1MTgwMzE1NTFaMHoxCzAJBgNVBAYT
AkNBMQswCQYDVQQIDAJRQzERMA8GA1UEBwwITW9udHJlYWwxEzARBgNVBAoMClVu
aXRvIEluYy4xGDAWBgNVBAMMD1VuaXRvLUNsaWVudC0wMTEcMBoGCSqGSIb3DQEJ
ARYNaW5mb0B1bml0by5pbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
AN2a0JP6+QuDsD6oeTUHnd629wbcP+/CjOiNDl3mQ9NZzfhKreuEZJ/XrVXhypzS
Yud88XkKbWSZe7dy0WpG4athbscc7zPELpTdSJohQWPP7OR6rsg+sduC4k4vCLYO
O4qEtekkD7dxSn52g3Pp2npdpSfBd3eW3IwP4kd+5vIl+C0pE2nHotJq9ovgEurL
aMJ5TtbmzBge2b1vyPM/eF/VqCHBltAcxEB+GlU7yVznv+SXAB67gRQCghPOI754
oO1LaI9RfSp/2tgUXA0k3sX0AViyMg6of/DxPmwVWtTNBlRNn2dvMFEztvMtn7oj
/z73xt62xCAIE95uKRFnCOHXsXyIWAfRptXHt8TJW0PDZKXvx++3OxYU6ZAbkvTS
yavzBcLVyoVFn4LcmG21Z29MrxGKIcyAUl5ukI8gYYCMlSIWKF+wSPTgyKbH6wuK
3FzjeycD/Po+vXZCIz/QtzMPxsLhbZE/1z4ZVf76NYj9NxJaXtrCGfbOpemgnC9w
JMahlnUz6IaFdyJT0J2nU/wPbQ8tbBwnJqmbIZ1kifX4mX4V/RGTsM/PVoYa5M9G
g4RJmudH7p6iv9mXKUiDzQ84xNfkn+7QAmi/SivxMOINcKH3akp/fq2yH5xpAYiB
8MfBIJdR+oWoyGD2R7nE76koqDzIUAQ86j4f9V4JJWpFAgMBAAGjQjBAMAkGA1Ud
EwQCMAAwEQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAK
BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAgEAcTlBrExI73CTvLAGl3ZhlXjg
d3jWVW+sJuurYhryP56UK/0ya0A0mqm5GNiwIF/JFLTO0U74wYlzL+I3ROE9+S9g
s9RyC41o8PUF6C+/+hgBplbKCc7iqyyhN+6jGVf5zfAgb07kgu7tAVw5x2AkfkTq
p70Sl2XEtmp9+U7p0HRVD46mb80oVUXHXj7pRJrQYmYfHurXRqeWD8mGeXczzWIQ
au7Q31Ve2MpeTZjcdOGazSDVWtI0K4PxBZnrYULsoxjptXWL8DMltwoYjCSuSuCG
/ntjsPI3HcHc9nuoTnxzLDsPWjgLyrJjr2VkYNMgjB4BcLgUWxTBBhtNJ9baFHrB
JNcDUuoM7AaenYeMUY595ZbFnS/5R/giwdJMAo/k3Sc0XoFoiwtav/eB/KtoePLO
kMri6jYB99gLSyc7bFVJqYBhqOHNvmAay02kpo1D0BKX0feNclTR4m7/whXqn7Cn
NQgPL7HvppbMvZ/nAhXVa17z+VHVbVsxqCTLBwHrYyb9tb4YrXzivW/8avlIefj3
fK6v7qimBgbz0w+nJqO3iahbU/h6dIS2cUD1YEU8+JRu8b7O1yC6mLCbA7/vJT9Y
IkAaZTFTOkPHn141pzLgaf5DkUzQhmqJ4o3X1TYlMmNmSFXtT+mDXVo0cb/vXUrz
Y2ZAdZCt/BmfM/k6N3g=
-----END CERTIFICATE-----

CA Certificate

-----BEGIN CERTIFICATE-----
MIIFuTCCA6GgAwIBAgIJAL5WwwGqZ1CzMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNV
BAYTAkNBMQswCQYDVQQIDAJRQzERMA8GA1UEBwwITW9udHJlYWwxEzARBgNVBAoM
ClVuaXRvIEluYy4xETAPBgNVBAMMCFVuaXRvLUNBMRwwGgYJKoZIhvcNAQkBFg1p
bmZvQHVuaXRvLmlvMB4XDTE2MDUyMzAzMDAzNVoXDTM2MDUxODAzMDAzNVowczEL
MAkGA1UEBhMCQ0ExCzAJBgNVBAgMAlFDMREwDwYDVQQHDAhNb250cmVhbDETMBEG
A1UECgwKVW5pdG8gSW5jLjERMA8GA1UEAwwIVW5pdG8tQ0ExHDAaBgkqhkiG9w0B
CQEWDWluZm9AdW5pdG8uaW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQC0Sfjdm/21Ax5a8257yak5w9FgVVmAe//yS0215Oj+UCr+jN/vn+SjHMRGXpia
62kqyTiQOKQPxmTUaoBa0laDw51DyJt22FuLs/US+uQgRhVQll20eURC2p2sYbJC
+1Ci3eGruMYhCNUjfRmsfw6bZtWMlRGl5XZCcdMLgQYthoFfc8zGKMibHNjQMZwC
/4F0Hq+knyp9kSnosRoC/NHUCozIj1mIg13IoCi2QAyMdCoTBDbfEgBUcbhAWHmn
TvI9iSLNEhsVdamU+kUDFimedg+Dabnn4iv3rx+nSN+1/ynxFoO3sMAE/+Ml0oAj
AvdKT/u8Q/1LZDXNf1u7wYTa2WzeBrhbtEqvbfHsy2rBrhRMMUqCtDm2w0RreYeV
5EY7VAzxMBkA5nze8xJzoV6rX5MuAjToPYEt28xA147/uCk/t4F2qJoN9aEgNNyi
Sj1L3mD90DGCHjAGHz810W3RB/ZMpzaF6OE605iSHS5eVhaBc7u894TJxvSd9Bp2
6FrEuclh6I6BWVOA/zyXpNZ6j+mIJf14p2YnS669YybiT/LzURXhk7NkmgNjRDkD
aw2WthfuTmiT9ZOKB1Ht7jiriNY3AFhicxARi/zhCbaR5RCtftz29D8j9aYNvW4Z
KeaUxfL6EBAr5qfDzzbgwkwTsVzg6fsmV0WGLyLuu90XaQIDAQABo1AwTjAdBgNV
HQ4EFgQU+h+i2SGMyqxqLIL8DHv947yUiscwHwYDVR0jBBgwFoAU+h+i2SGMyqxq
LIL8DHv947yUiscwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAIyyk
0ZrBjitX+ypvfs8OAAnZExBnFr3HilqVZ9aq5j0fEZaZjvfw8tlXXba791lH+iaD
MP1rtxn0QKv8HepXj7iVPVMCJvPNpU9j4TI8+5EQrF0eab0XwwejDQhn/cn6DlDI
Jzax/IHf62epyp9bA1OU4f+3Y1v/Kc0qinPuVbpaiMaad2EzOjwPs71rl5tahdJ0
xkMmdBqKU5dfw4g91dTL4EW6XXXqdl0chzXv2nkdWxo5+bL1EwdBsPUjuRXvikOe
MQE+HSr3ogh3shH1TJM8eEam9kKdXpNEF+Y5OFm7fWR38NyVV1rLffE0mI0mRT3W
pn6X0F0b44TiaHLdz5+llb0nxdaL090W7NNADPpxvNdgtxkjcG4syjZCOEGSB1rd
G8buSnEcd0xOtGtPSg/xByARcjU3gFPhVBii8BWerOns2kCzhG1gyDf9/qSNCG7o
GIQK+LVwWImfa04gZh7IScfCKGfPbD0qUAL9+K4K9zG5jiY1alNAo91l5DTSnpR1
VgiIcxGxCwhOjIKR2XdGukdjW+xNHE2FWEW5bu/ByeBdmTxZIC8i9w9IKwpQd3ca
SeH963SZxIMAcLgUnRrE8eMZ10tnQIJZqP5RykpTq9WsE2tJBzxxBZS5/5O66eEa
rYQiNsy/oYx0+JvOV17f3gnhDuD7F585n7RTX6M=
-----END CERTIFICATE-----

What is Mutual TLS (mTLS)?

mTLS, or Mutual Transport Layer Security, is a protocol used by Unito that provides an additional layer of security between a client and a server. Unlike standard TLS, which only requires the server to present a certificate, mTLS requires both the client and server to authenticate each other using certificates.

How does mTLS function in the context of Unito?

In the context of Unito, your organization acts as its own Certificate Authority (CA), issuing and verifying certificates that correspond to a self-signed "root" TLS certificate. This allows you to verify the legitimacy of both parties involved in a data exchange, providing enhanced security against various types of attacks including on-path attacks, spoofing, credential stuffing, brute force attacks, phishing, and malicious API requests.

While mTLS is not commonly used on the entire internet due to the complexity of managing billions of certificates, it is highly practical for individual organizations, especially those employing a Zero Trust approach to network security. This approach involves authenticating every user, device, and request each time they try to access any point in the network, and mTLS plays a crucial role in making this possible. Find out more about mTLS.