← Lessons

quiz vs the machine

Gold1500

Networking

Mutual TLS

Both sides present certificates so each proves who it is.

5 min read · core · beat Gold to climb

Beyond one sided trust

In ordinary TLS only the server presents a certificate, so the client verifies the server but the server identifies the client some other way, often a password or token. Mutual TLS, often shortened to mTLS, adds a client certificate so both parties authenticate each other cryptographically.

How the exchange works

During the handshake the server requests a certificate from the client. The client sends one and proves it holds the matching private key. Each side checks the other certificate against a trusted certificate authority.

  • The server proves its identity as usual.
  • The client also presents a certificate.
  • Both validate the chain up to a trusted authority.

Where it shines

mTLS is common inside service meshes and zero trust networks, where every service call must be authenticated regardless of network location. The main cost is operational, since you must issue, rotate, and revoke certificates for every workload, usually through automated tooling.

Key idea

Mutual TLS makes both client and server prove their identity with certificates, enabling strong service to service authentication.

Check yourself

Answer to earn rating on the learn ladder.

1. How does mTLS differ from ordinary TLS?

2. Where is mTLS most commonly used?

3. What is the main operational cost of mTLS?