Edge Acceleration
  • Site Acceleration
    • Overview
    • Access Control
      • Token authentication
        • Token Authentication
        • Authentication Method A
        • Authentication Method B
        • Authentication Method C
        • Authentication Method D
        • Authentication Method V
    • Smart Acceleration
    • Cache configuration
      • Overview
      • EdgeOne caching rules introduction
        • Content Cache Rules
        • Cache Key Introduction
        • Vary Feature
      • Cache Configuration
        • Custom Cache Key
        • Node Cache TTL
        • Status Code Cache TTL
        • Browser Cache TTL
        • Offline Caching
        • Cache Prefresh
      • Clear and Preheat Cach
        • Cache Purge
        • URL Pre-Warming
        • Prefetch M3U8
      • How to improve the Cache Hit Rate of EdgeOne
    • File Optimization
      • Content Compression
      • Smart Compression
    • Network Optimization
      • HTTP/2
      • HTTP/3(QUIC)
        • Overview
        • Enable HTTP/3
        • QUIC SDK
          • SDK Overview
          • SDK Download and Integration
          • Sample Code
            • Android
            • iOS
          • API Documentation
            • Android
            • iOS
      • IPv6 Access
      • Maximum Upload Size
      • WebSocket
      • Client IP Geolocation Header
      • Client IP Geographical Location
      • gRPC
      • Network Error Logging
    • URL Rewrite
      • Access URL Redirection
      • Origin-Pull URL Rewrite
    • Modifying Header
      • Modifying HTTP Response Headers
      • Modifying HTTP Request Headers
    • Modify response content
      • HTTP Response
      • Custom Error Page
    • Rules Engine
      • Overview
      • Rule Management
      • variables
      • Supported Matching Types and Actions
    • Image and video processing
      • Audio and Video Pre-pulling
      • Just-in-Time Image Processing
      • Video Just-In-Time Processing
      • VOD Media Origin
    • Speed limit for single connection download
    • Request and Response Actions
      • HTTP Response
      • Processing order
      • Default HTTP Headers of Origin-Pull Requests
      • Default HTTP Response Headers
      • HTTP Restrictions
    • Media Services
      • Audio and Video Pre-pulling
      • Just-in-Time Image Processing
      • Just-in-Time Media Processing
      • VOD Media Origin
  • L4 Proxy
    • Overview
    • Creating an L4 Proxy Instance
    • Modifying an L4 Proxy Instance
    • Disabling or Deleting an L4 Proxy Instance
    • Batch Configuring Forwarding Rules
    • Obtaining Real Client IPs
      • Obtaining Real TCP Client IPs via TOA
      • Obtaining Real Client IPs Through Protocol V1/V2
        • Overview
        • Method 1: Obtaining Real Client IPs Through Nginx
        • Method 2: Parsing Real Client IPs on Application Server
        • Format of Real Client IPs Obtained Through Proxy Protocol V1/V2
      • Transmitting Client Real IP via SPP Protocol
  • Domain name service and origin server configuration
    • Domain Name Services
      • Overview
      • DNS resolution for managed domains
        • Modifying DNS Servers
        • Configuring DNS Records
        • Batch Importing DNS Records
        • Advanced DNS Configuration
      • Access accelerated domains
        • Adding A Domain Name for Acceleration
        • Ownership Verification
        • Modifying CNAME Records
        • Verify Business Access
      • Traffic scheduling
        • Traffic Scheduling Management
    • HTTPS Certificate
      • Overview
      • Edge HTTPS Certificate
        • Overview
        • Deploying/Updating SSL Certificate for A Domain Name
        • Configuring A Free Certificate for A Domain Name
        • Using Keyless Certificate
      • Edge mTLS Authentication
      • Origin Certificate Validation
      • HTTPS configuration
        • Forced HTTPS Access
        • Enabling HSTS
        • SSL/TLS security configuration
          • Configuring SSL/TLS Security
          • TLS Versions and Cipher Suites
        • Enabling OCSP Stapling
      • Related References
        • Using OpenSSL to Generate Self-Signed Certificates
        • Certificate Format Requirements
        • The Difference Between one-way authentication and Mutual authentication
    • Origin Configuration
      • Load Balancing
        • Overview
        • Quickly Create Load Balancers
        • Health Check Policies
        • Viewing the Health Status of Origin Server
        • Related References
          • Load Balancing-Related Concepts
          • Introduction to Request Retry Strategy
      • Origin Group Configuration
      • Origin configuration
        • Origin-Pull Timeout
        • Configuring Origin-Pull HTTPS
        • Host Header Rewrite
        • Controlling Origin-pull Requests
        • Redirect Following During Origin-Pull
        • HTTP/2 Origin-Pull
        • Range GETs
        • Modify Origin
        • Origin-pull Rate Limiting Policy
      • Origin Protection(Obtaining/Updating Origin IP Address Range)
      • Related References
        • ld Version Origin Group Compatible Related Issues
Docs Overview/
Edge Acceleration/
Domain name service and origin server configuration/
HTTPS Certificate/
Edge mTLS Authentication/

Edge mTLS Authentication

Overview

HTTPS mutual authentication, also known as mutual TLS (mTLS) authentication or client authentication, is a secure communication protocol that requires both the server and the client to verify the identity of the opposite side. For standard HTTPS, the server proves its identity to the client (through a server certificate) in most cases, thereby establishing a secure, encrypted communication channel. On this basis, mutual authentication further requires the client to provide a certificate for the server to verify the client identity. This method is often used in systems with high security requirements to ensure both communication parties are trustworthy.You can refer to the difference between one-way authentication and two-way authentication.
When establishing HTTPS connections between clients and edge nodes, if an edge HTTPS certificate is already configured, EdgeOne can further require client certificates for mutual SSL handshake authentication.

Preparations

One server certificate, consisting of server.pem and server.key;
One client certificate, consisting of client.pem and client.key, and the CA certificate that issued the client certificate: CA.crt. The certificate requires the complete certificate chain to be uploaded in advance to the Tencent Cloud SSL console. The certificate needs to include the complete certificate chain. For format requirements, refer to CA Certificate Format and Certificate Chain Specification.
Note:
If you have not purchased server certificates and client certificates yet, you can also refer to Using OpenSSL to Generate Self-Signed Certificates to generate self-signed certificates in a testing environment.

Use Limits

Currently, each domain name supports configuring only 1 client CA certificate and supports RSA, ECC, or SM2 national encryption algorithm certificates.
If the server is configured with a national encryption algorithm certificate, the client CA certificate must also be a national encryption algorithm certificate.

Directions

For example, you need to configure mutual authentication for the domain name www.example.com, and the client CA certificate has been uploaded to the Tencent Cloud SSL console.
1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. On the site details page, click Domain Name Service > Domain Name Management.
3. On the domain name management page, select the domain name to be configured with a certificate and click Edit in the HTTPS column. The HTTPS certificate configuration page will pop up. In mTLS configuration, enable Edge mTLS and select an existing client CA certificate to configure.



4. Click Confirm to issue the configuration. It will take effect immediately after the deployment is completed. After configuration, the client must carry the client certificate issued by the client CA certificate for access, otherwise the HTTPS handshake cannot be completed. You can also verify whether the handshake is successful by following the CURL command below to carry the client certificate information:
curl https://www.example.com --cert client.crt --key client.key -v -k
In this command, --cert indicates the local path of the client's public key certificate, and --key indicates the local path of the client's private key certificate.

FAQs

What Should I Do If An Error Is Reported During Testing with the Response Message: Empty Reply From Server?

In this case, the most common possibility is that the certificate chain of the currently configured client CA certificate is incomplete. You need to concatenate the complete certificate chain content together and upload it to the Tencent Cloud SSL console. The concatenation order needs to be in strict accordance with the CA Certificate Format and Certificate Chain Specification.
You can also use the openssl command locally to verify CA certificates and client certificates first. If it shows client.crt: OK, it means there is no problem with the certificate chain.
openssl x509 -in client.crt -text -noout
openssl verify -CAfile CA.crt client.crt