Labsco
wshobson logo

mtls-configuration

โ˜… 37,559

by wshobson ยท part of wshobson/agents

Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication.

๐Ÿงฉ One of 7 skills in the wshobson/agents package โ€” works on its own, and pairs well with its siblings.

This is the playbook your agent receives when the skill activates โ€” you don't need to read it to use the skill, but it's here to audit before installing.

mTLS Configuration

Comprehensive guide to implementing mutual TLS for zero-trust service mesh communication.

When to Use This Skill

  • Implementing zero-trust networking
  • Securing service-to-service communication
  • Certificate rotation and management
  • Debugging TLS handshake issues
  • Compliance requirements (PCI-DSS, HIPAA)
  • Multi-cluster secure communication

Core Concepts

1. mTLS Flow

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”                              โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Service โ”‚                              โ”‚ Service โ”‚
โ”‚    A    โ”‚                              โ”‚    B    โ”‚
โ””โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”˜                              โ””โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”˜
     โ”‚                                        โ”‚
โ”Œโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”      TLS Handshake          โ”Œโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”
โ”‚  Proxy  โ”‚โ—„โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚  Proxy  โ”‚
โ”‚(Sidecar)โ”‚  1. ClientHello             โ”‚(Sidecar)โ”‚
โ”‚         โ”‚  2. ServerHello + Cert      โ”‚         โ”‚
โ”‚         โ”‚  3. Client Cert             โ”‚         โ”‚
โ”‚         โ”‚  4. Verify Both Certs       โ”‚         โ”‚
โ”‚         โ”‚  5. Encrypted Channel       โ”‚         โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜                              โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

2. Certificate Hierarchy

Root CA (Self-signed, long-lived)
    โ”‚
    โ”œโ”€โ”€ Intermediate CA (Cluster-level)
    โ”‚       โ”‚
    โ”‚       โ”œโ”€โ”€ Workload Cert (Service A)
    โ”‚       โ””โ”€โ”€ Workload Cert (Service B)
    โ”‚
    โ””โ”€โ”€ Intermediate CA (Multi-cluster)
            โ”‚
            โ””โ”€โ”€ Cross-cluster certs

Templates and detailed worked examples

Full template library and detailed worked examples live in references/details.md. Read that file when you need the concrete templates.

Best Practices

Do's

  • Start with PERMISSIVE - Migrate gradually to STRICT
  • Monitor certificate expiry - Set up alerts
  • Use short-lived certs - 24h or less for workloads
  • Rotate CA periodically - Plan for CA rotation
  • Log TLS errors - For debugging and audit

Don'ts

  • Don't disable mTLS - For convenience in production
  • Don't ignore cert expiry - Automate rotation
  • Don't use self-signed certs - Use proper CA hierarchy
  • Don't skip verification - Verify the full chain