Gateway to Origin mTLS Authentication
Enterprise Feature
mTLS Client Certificates is available as an add-on as part of an enterprise plan. If you would like to purchase this feature, please contact us at sales@zuplo.com or reach out to your account manager.
Most enterprise features can be used in a trial mode for a limited time. Feel free to use enterprise features for development and testing purposes.
Mutual TLS (mTLS) authentication establishes a trust relationship between your Zuplo API Gateway and your backend services using client certificates. With mTLS, both the client (Zuplo Gateway) and the server (your backend) authenticate each other, creating a "Zero Trust" security model.
This is particularly useful for enterprise customers who need to ensure that both parties in a connection verify each other's identity before exchanging data.
How mTLS Works
When Zuplo makes an outbound request to your backend service:
- Your backend service presents its SSL/TLS certificate to Zuplo (standard TLS)
- Zuplo presents a client certificate to your backend (the mutual part)
- Both parties verify each other's certificates against a trusted Certificate Authority (CA)
- Only after mutual verification does the secure connection establish
This ensures that your backend only accepts requests from authorized Zuplo gateways, and Zuplo can verify it's connecting to the correct backend service.
Prerequisites
Before you begin, you need:
- A PEM-encoded client certificate and matching private key generated from a Certificate Authority (CA) that your backend trusts
- Your backend service configured to require and validate client certificates
- The Zuplo CLI installed (see CLI documentation)
Client certificate requirements
The certificate uploaded to Zuplo is the client, or leaf, certificate that the gateway presents to your backend. It should have the following properties:
- X.509 version 3
Basic Constraints: critical, CA:FALSEKey Usage: critical, Digital SignatureExtended Key Usage: TLS Web Client Authentication(clientAuth)- An RSA key between 2048 and 8192 bits, or an ECDSA key using P-256, P-384, or P-521
- A SHA-256 or stronger signature
- A subject that uniquely identifies the gateway credential
- A validity period appropriate for your certificate rotation policy
The issuing CA certificate must be X.509 version 3 with
Basic Constraints: critical, CA:TRUE and a key usage that includes
Certificate Sign and CRL Sign. Your backend's trust store must contain the
CA certificates needed to build a path from the client certificate to a trusted
root. When the trusted CA directly signs the client certificate, you do not need
a client certificate-chain bundle. If an intermediate CA signs it, follow your
backend's requirements for presenting and trusting the intermediate chain.
The private key must match the public key in the client certificate. Keep it secret and limit access to it. The key must be unencrypted when uploaded to Zuplo so the gateway can use it without a passphrase.
1/ Upload Your Certificate
Use the Zuplo CLI to upload your client certificate and private key to your project. You can upload multiple certificates, each with a unique name.
Code
The certificate name must follow JavaScript's variable naming constraints since you will use the name later in your code. The CLI will validate these constraints when you create the certificate.
Parameters:
--cert: Path to your PEM-encoded client certificate file--key: Path to your PEM-encoded private key file--name: A unique name to identify this certificate in your project--account: Your Zuplo account name--project: Your Zuplo project name--environment-type: Specify which environments can use this certificate (can be specified multiple times)
2/ Use the Certificate in Your Code
Once uploaded, you can use the certificate when making outbound requests from your Zuplo Gateway.
Using mTLS in a Request Handler
Reference the certificate by name in the zuplo options object when making
fetch requests:
Code
Using mTLS in a Policy
You can also configure mTLS in the URL Forward Handler or URL Rewrite Handler that make outbound requests:
Code
3/ Using Environment Variables
For better flexibility across environments, store the certificate name as an environment variable:
Production environment:
Code
Staging environment:
Code
Then reference it in your code:
Code
Or in your policy configuration:
Code
Managing Certificates
Listing Certificates
To view all certificates in your project:
Code
Deleting Certificates
To remove a certificate:
Code
You can't delete a certificate that's referenced by any of your deployments in your project. This is to prevent your deployments from failing if the certificate that's being referenced is no longer available.
First, disable the certificate by using the CLI with
zuplo mtls-certificate disable. Then redeploy the deployments in your project
that reference it. Once there are no more references to the certificate, you can
delete it.
Certificate Rotation
When your certificates need to be rotated (due to expiration or security policies):
- Upload the new certificate with a different name
- Update your environment variables or code to reference the new certificate name
- Use the CLI
zuplo mtls-certificate disablecommand to disable the old certificate. - Deploy your changes to all environments that reference the old certificate.
- After verifying the new certificate works, you may delete the old certificate.
The order of operations is important so that your services continue to work as you rotate the certificate.
Local Development
mTLS bindings aren't currently available in local development environments. Your code using mTLS will only work when deployed to Zuplo's edge infrastructure.
For local development, consider:
- Using conditional logic to bypass mTLS when running locally
- Setting up a separate backend endpoint that doesn't require mTLS for development
- Testing mTLS functionality in a preview environment
Troubleshooting
Certificate Validation Errors
Inspect the certificate and confirm its subject, issuer, validity, and client authentication purpose:
Code
SSL client should report Yes. To inspect all extensions, run
openssl x509 -in client.crt -noout -text and confirm the certificate reports
CA:FALSE, Digital Signature, and TLS Web Client Authentication.
Check that the certificate will remain valid for at least seven days:
Code
Validate the certificate path against the same CA bundle your backend trusts:
Code
The expected result is client.crt: OK. Common errors include:
unable to get local issuer certificate: The issuing CA or an intermediate CA is missing from the backend's trust bundle.unsupported certificate purpose: The client certificate is missing theclientAuthextended key usage.certificate has expired: The client certificate is outside its validity period.invalid CA certificate: An issuing certificate is missing valid CA extensions.key usage does not include certificate signing: An issuing CA does not have thekeyCertSignkey usage.
Confirm that the certificate and private key contain the same public key:
Code
If your backend still rejects the certificate, verify:
- The certificate is signed by a CA that your backend trusts
- The certificate hasn't expired
- The certificate has the required key usage and extended key usage
- The certificate and private key match
- The certificate name in your code matches the uploaded certificate name
Connection Failures
If requests fail to connect:
- Ensure your backend is configured to accept mTLS connections
- Verify the certificate is uploaded to the correct environment (development, preview, production)
- Check that your backend's CA certificate is properly configured
Runtime Errors
If you see errors about missing certificates:
- Confirm the certificate was uploaded successfully using
zuplo mtls-certificate list - Ensure the environment type was specified correctly during upload
- Verify your code references the correct certificate name
Additional Resources
For more information on securing your backend, see:
- Securing your Backend - Overview of all backend security options
- Shared Secret / API Key - Alternative approach using shared secrets
- Secure Tunnels - Connect to private backends without exposing them to the internet
- Client mTLS Authentication - The reverse direction, where clients authenticate to your Zuplo gateway with a client certificate
If you need assistance configuring mTLS for your project, contact us at support@zuplo.com.