Guide
TrainingSupportCommunity

Enforce mTLS settings

Suggest Edits

📘

Limited Availability

This feature is only available to select customers. Talk to your account team about eligibility.

The transport layer security (TLS) protocol is used to secure connections between a client and server. With a common TLS-secured web connection, only the client validates the identity of the server before allowing communications. With mutual TLS-secured web connections, both the client and the server validate the identity of one another, before allowing communication between the two. The client and server each present a TLS identity certificate to the other, with each side verifying the authenticity, during what's called the "TLS handshake”. Once verified, the identity information is used to authorize additional communication requests between the two.

Why you need it

The Enforce mTLS settings are part of the authorization logic for your delivery configuration ("property"). They're a way to ensure requests processed by your property are coming from TLS connections set in an mTLS configuration you've applied.

The server's certificate, what we refer to as an ​Akamai​ edge certificate, and its settings aren't automatically bound to a specific property. You can set it up to support requests from multiple edge certificates, each with varying TLS settings to support different use cases:

  • An edge certificate with a specific hostname with mTLS.

  • An edge certificate that uses a wildcard hostname without mTLS.

For example, this behavior's settings can be applied to enforce mTLS for requests to the specific hostname associated with the edge certificate with mTLS. But, they wouldn't apply to requests for the wildcard hostname.

How it works

A client makes a connection to a particular edge certificate on the ​Akamai​ network. The client then makes a request for your property. The request is processed by your property and Enforce mTLS settings are applied. Configure them to ensure these requests came from a TLS connection, where the expected mTLS configuration settings were applied. After this validation takes place, further request processing can continue. If there's a mismatch, you can apply custom error handling.

Implementation

These sections offer some basic workflows you can follow to add this support.

Before you begin

There are a few prerequisites you need to meet before adding mTLS support to your property:

  • Create your CA set for the client. You need to set up a certificate authority (CA) set with ​Akamai​'s Mutual TLS Edge TrustStore application. Here, you'll add your own secure certificates that requesting clients will exchange with the server.

  • Enable mTLS in edge certificates for the server. These are the certificates the server shares with the client for mTLS support. You need to bind these mTLS-enabled certificates to your CA set with ​Akamai​'s Certificate Provisioning System (CPS). These certificates need to be the same type (domain validated, organization validated, or extended validation) and format (standard TLS or enhanced TLS) of certificate you set up for client use in your CA set. Once done, you apply these certificates in your property when creating a secure hostname.

  • Use TLS 1.3 and HTTP/3. When configuring mTLS in all your certificates, you should ensure that they use TLS 1.3 to avoid the security flaws with older TLS versions. Additionally, if you've set up your property using HTTP/3, it uses QUIC as the transport layer and TLS 1.3 is built-in, so lesser versions of TLS aren't supported.

📘

If you update an existing CA set, its changes aren't automatically applied in CPS or in Property Manager. See Caveats and known issues for complete information.

Apply basic support

Here, we'll apply a simple rule to deny requests to a specific hostname, if they don't properly apply mTLS.

  1. Add a secure hostname to your property. Configure it to use the edge certificate where you've enabled mTLS for the server.

  2. In the Property Configurations settings, click + Rules.

  3. The Blank Rule Template is default selected. Click New Rule and give the rule an easy-to-recognize name, like Enforce mTLS.

  4. Click Insert Rule.

  5. In the Criteria options, click + Match. The match criterion defaults to Hostname > is one of.

  6. In the empty field, enter the secure hostname you added.

  7. In the Behaviors options, click + Behavior.

  8. Type enforce in the Search available... field, select the Enforce mTLS settings behavior, and click Insert Behavior.

  9. Configure the options in this behavior:

OptionDescription

Enforce certificate authority sets

Enable this. Your property will validate that the settings in this behavior apply.

Certificate authority sets

Select the CA sets you want to support. The preset list is comprised of CA sets you've created with ​Akamai​'s mTLS Edge Truststore.

📘

You also need to bind the CA sets you select here to the edge certificate in CPS. (This is the certificate ​Akamai​ edge servers use for verification during the mTLS connection.)

OCSP Status

Enable this if the certificates you're using in your CA set (for client requests) and your edge certificates in CPS (for the server response) use the online certificate support protocol (OCSP). OCSP can determine the X.509 certificate revocation status during the TLS handshake.

Deny request

Enable this. Any request for the specified secure hostname that doesn't match the settings you've applied in this behavior is denied. A request doesn't match if:

  • The CA sets you've named here aren't bound to the edge certificate you've included in your secure hostname.

  • The OCSP setting in your edge certificate doesn't match what you've set here. (For example, if it's disabled here, but enabled in your edge certificate, the request would be denied.)

If a request matches on both, it's allowed.

Apply custom handling

Here, we'll apply a collection of rules: a parent rule to enforce mTLS settings, and two nested child rules to apply custom handling for mismatched requests. Here's what you can expect to achieve with this:

  • Successful requests passthrough client certificate information. A header will be sent to your origin server that contains details from the client's mTLS certificate. This lets you establish transitive trust between the client and your origin server.

  • Special handling for requests that don't match. A request that doesn't match what you set will still be allowed. However, information will be included in the Log Delivery Service report for analysis.

1. Add Enforce mTLS settings

Start by adding a new parent rule to handle requests for mTLS.

  1. Follow steps 1 - 8 in Apply basic support.

  2. Configure the options in the Enforce mTLS settings behavior:

OptionDescription

Enforce certificate authority sets

Enable this. Your property will validate that the settings in this behavior apply.

Certificate authority sets

Select the CA sets you want to support. The preset list is comprised of CA sets you've created with ​Akamai​'s mTLS Edge Truststore.

📘

You also need to bind the CA sets you select here to the edge certificate in CPS. (This is the certificate ​Akamai​ edge server uses for verification during the mTLS connection.)

OCSP Status

Enable this if the certificates you're using in your CA set (for client requests) and your edge certificates in CPS (for the server response) use the online certificate support protocol (OCSP). OCSP can determine the X.509 certificate revocation status during the TLS handshake.

Deny request

Disable this. Any request that matches the settings you've applied in this behavior will be allowed. A request that doesn't match the settings will be allowed, too. But, you'll incorporate custom handling for these requests, through the other rules in the behavior.

A request doesn't match settings if either of the following apply:

  • The CA sets you've named here aren't bound to the edge certificate you've included in your secure hostname.

  • The OCSP setting in your edge certificate doesn't match what you've set here. (For example, if it's disabled here, but enabled in your edge certificate, the request wouldn't match.)

2. Add Client Certificate Authentication

Next, add a child rule that forwards client certificate details to your origin server as headers. You can configure your origin server to trust the headers, to enable transitive trust.

  1. In the Property Configurations settings, click + Rules.

  2. The Blank Rule Template is default selected. Click the New Rule field and give it an easy-to-recognize name, like Client cert auth.

  3. Click Insert Rule. Your new rule is added to the bottom of the tree.

  4. Click the handle () for the new rule entry and drag it below your Enforce mTLS rule to nest it as a child rule.

  1. Click the rule to open it.

  2. In the Criteria options, click + Match. Set the If options to:

    • Client certificate

    • Provided. Enabled.

    • Valid. The associated rule will only be applied if the client's mTLS certificate is valid.

  3. In the Behaviors options, click + Behavior.

  4. Type client cert in the Search available... field, select the Client Certificate Authentication behavior, and click Insert Behavior.

  5. Configure the options in this behavior:

    OptionDescription

    Enable

    Enable this. Your property builds Client-Auth HTTP headers using information from the client to server (edge network) mTLS handshake and sends them to your origin server. You can configure your origin server to acknowledge these headers to enable transitive trust between itself and the requesting client.

    Complete client certificate

    When ​Akamai​ builds the Client-to-Edge-HTTP-Auth header, it needs to include some form of the client's x.509 certificate.

    • On. This includes the complete client certificate, in its binary (DER) format. DER-formatted certificates leave out the "BEGIN CERTIFICATE/END CERTIFICATE" statements and typically use the ".der" extension.

    • Off. Select the individual Client certificate attributes to include.

    Client certificate attributes

    With Complete client certificate set to Off, select from the list of certificate attributes to include them in the Client-to-Edge-HTTP-Auth header.

    • Client certificate subject. The distinguished name of the client certificate's public key.

    • Client certificate common name (CN). The common name (CN) that's been set in the client certificate.

    • Client certificate SHA-256 fingerprint. An SHA-256 encrypted fingerprint of the client certificate.

    • Client certificate issuer. The distinguished name of the entity that issued the certificate.

    Certificate validation status

    Enable this. The current validation status of the client certificate in the Client-to-Edge-HTTP-Auth header. Configure your origin server to acknowledge the validity before it establishes trusttrust will only be established if the client certificate is currently valid.

3. Add Logging

Finally, we'll add a second child rule that generates log data for mismatched mTLS certificate requests.

  1. In the Property Configurations settings, click + Rules.

  2. The Blank Rule Template is default selected. Click the New Rule field and give it an easy-to-recognize name, like Log invalid certs.

  3. Click Insert Rule. Your new rule is added to the bottom of the tree.

  4. Click the handle () for the rule and drag it below your Enforce mTLS rule to nest it as a child rule.

  1. Click the rule to open it.

  2. In the Criteria options, click + Match. Set the If options to:

    • Client certificate

    • Provided. Enabled.

    • Invalid

    • Enforce mTLS settings results. Enabled.

    📘

    Ensure that Deny request in the Enforce mTLS settings behavior in the parent rule is disabled.

  3. In the Behaviors options, click + Behavior.

  4. Type log custom in the Search available... field, select the Log Custom Details behavior, and click Insert Behavior.

  5. Configure the options in this behavior:

    OptionDescription

    Include Custom Log Field

    Enable this to include what's set in the Custom Log Field in the Log Delivery Service report.

    Custom Log Field

    Specify the additional data field you want appended to each log line. You can add something like "invalid_mTLS" to make it easy to recognize log entries.

Caveats and known issues

Review what's here before setting up this support:

IssueDetail

Changes aren't automatically applied

If you make an update to your CA set in the mTLS Edge Truststore, ensure you make the applicable changes to your property here in Property Manager, and to any certificates in the Certificate Provisioning System (CPS).

For example, if you remove a CA set from the mTLS Edge Truststore, you also need to unbind the CA set from the certificate in CPS and remove the CA Set from your property here in the Enforce mTLS settings behavior. If you don’t, you could see disablement of service for requests for your property.

TLS 1.3 doesn't support renegotiation

If you need to use client certificates after the TLS handshake via renegotiation, you'll need to use a legacy version. This is because TLS 1.3 doesn't support renegotiation.

For example, if you're using mTLS and you're restricting requests to certain folders, based on a URL path in the requestrather than all content on your origin servera TLS renegotiation may be triggered. Connections using TLS 1.3 don't support renegotiation because it's a potential cyber threat. The renegotiation is just one more point in the transaction that a hacker can exploit.

Certificates are subject to regular revocation

Based on the type of certificate you're using, the certificate authority that validates them will revoke them after a set amount of time. (For example a domain validated certificate has a life cycle of 90 days.) ​Akamai​ edge servers check a certificate's revocation status through OCSP. As a best practice, enable OCSP in your client certificates and your edge certificate for your server. Then, enable the OCSP Status option when configuring the Enforce mTLS settings behavior. Many web browsers don't check the revocation status for certificates via OCSP, but this doesn't affect the mTLS use cases for certificates.

Use SHA-256 encryption

As a best practice, all certificates you use for mTLS should have their certificate authority signature component encrypted using at least SHA-256 encryption. While the mTLS Edge Truststore application offers an option to support SHA-1 level encrypted signatures, SHA-256 offers better protection. All mTLS certificates need to use the same level of signature encryption.

SSLv3 isn't supported

Any certificate you use for mTLS can't have any of its slots configured to use SSLv3. This is an antiquated protocol that is supported in some legacy environments.

The shared certificate isn't supported

You can't configure an edge hostname and secure it with ​Akamai​'s shared certificate. This format doesn't support mTLS.

Updated 12 months ago