← Lessons

quiz vs the machine

Gold1390

Networking

Mutual TLS in a Mesh

How both sides of a service call prove identity with certificates.

5 min read · core · beat Gold to climb

Both sides prove who they are

Ordinary TLS authenticates only the server. Mutual TLS, often called mTLS, makes both the client and the server present certificates, so each side verifies the other before any application data flows.

In a mesh the sidecar proxies handle this automatically. Every workload gets a short lived certificate that encodes its identity, issued by the control plane acting as a certificate authority. When two services talk, their proxies exchange and validate these certificates.

What this gives you

  • Strong identity: a service is named by its certificate, not just an IP that can be spoofed.
  • Encryption in transit for all service to service traffic by default.
  • Authorization that can be written against identities, such as allowing only the orders service to call billing.

Rotation matters

Certificates are deliberately short lived and rotated frequently. If one leaks it expires quickly, and rotation happens inside the proxies so applications never handle keys. This automated identity is the security backbone of a mesh.

Key idea

Mutual TLS gives every workload a verifiable certificate identity so both sides authenticate and all service traffic is encrypted by default.

Check yourself

Answer to earn rating on the learn ladder.

1. How does mutual TLS differ from ordinary TLS?

2. Why are mesh certificates short lived?

3. What can authorization rules reference once mTLS is in place?