How to Enable SSL/TLS Client Certificates (Mutual TLS/mTLS)
Unito signs HTTPS requests to APIs using a two-step process with TLS certificates (Mutual TLS/mTLS) for enhanced authenticity verification. Here’s how.
As an additional layer security, Unito can sign all HTTPS requests to APIs using a two-step process with TLS certficates. This is especially beneficial for customers hosting on-premise instances of their tools (e.g. Jira or GitHub Enterprise).
Our client certificates are signed by our own Certificate Authority (CA). So you’ll need to explicitly authorize either our client certificate or our CA certificate.
You can do this by copying the code blocks below. Our certificates use RSA + SHA256 ciphers and 4096-bit keys.
You can then contact us to enable SSL client certificates for your server.
A typical method to implement this process is through this nginx configuration.
Client certificate
Section titled “Client certificate”\-----BEGIN CERTIFICATE-----MIIFqjCCA5KgAwIBAgIBATANBgkqhkiG9w0BAQsFADBzMQswCQYDVQQGEwJDQTELMAkGA1UECAwCUUMxETAPBgNVBAcMCE1vbnRyZWFsMRMwEQYDVQQKDApVbml0byBJbmMuMREwDwYDVQQDDAhVbml0by1DQTEcMBoGCSqGSIb3DQEJARYNaW5mb0B1bml0by5pbzAeFw0xNjA1MjMwMzE1NTFaFw0zNjA1MTgwMzE1NTFaMHoxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJRQzERMA8GA1UEBwwITW9udHJlYWwxEzARBgNVBAoMClVuaXRvIEluYy4xGDAWBgNVBAMMD1VuaXRvLUNsaWVudC0wMTEcMBoGCSqGSIb3DQEJARYNaW5mb0B1bml0by5pbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAN2a0JP6+QuDsD6oeTUHnd629wbcP+/CjOiNDl3mQ9NZzfhKreuEZJ/XrVXhypzSYud88XkKbWSZe7dy0WpG4athbscc7zPELpTdSJohQWPP7OR6rsg+sduC4k4vCLYOO4qEtekkD7dxSn52g3Pp2npdpSfBd3eW3IwP4kd+5vIl+C0pE2nHotJq9ovgEurLaMJ5TtbmzBge2b1vyPM/eF/VqCHBltAcxEB+GlU7yVznv+SXAB67gRQCghPOI754oO1LaI9RfSp/2tgUXA0k3sX0AViyMg6of/DxPmwVWtTNBlRNn2dvMFEztvMtn7oj/z73xt62xCAIE95uKRFnCOHXsXyIWAfRptXHt8TJW0PDZKXvx++3OxYU6ZAbkvTSyavzBcLVyoVFn4LcmG21Z29MrxGKIcyAUl5ukI8gYYCMlSIWKF+wSPTgyKbH6wuK3FzjeycD/Po+vXZCIz/QtzMPxsLhbZE/1z4ZVf76NYj9NxJaXtrCGfbOpemgnC9wJMahlnUz6IaFdyJT0J2nU/wPbQ8tbBwnJqmbIZ1kifX4mX4V/RGTsM/PVoYa5M9Gg4RJmudH7p6iv9mXKUiDzQ84xNfkn+7QAmi/SivxMOINcKH3akp/fq2yH5xpAYiB8MfBIJdR+oWoyGD2R7nE76koqDzIUAQ86j4f9V4JJWpFAgMBAAGjQjBAMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAgEAcTlBrExI73CTvLAGl3ZhlXjgd3jWVW+sJuurYhryP56UK/0ya0A0mqm5GNiwIF/JFLTO0U74wYlzL+I3ROE9+S9gs9RyC41o8PUF6C+/+hgBplbKCc7iqyyhN+6jGVf5zfAgb07kgu7tAVw5x2AkfkTqp70Sl2XEtmp9+U7p0HRVD46mb80oVUXHXj7pRJrQYmYfHurXRqeWD8mGeXczzWIQau7Q31Ve2MpeTZjcdOGazSDVWtI0K4PxBZnrYULsoxjptXWL8DMltwoYjCSuSuCG/ntjsPI3HcHc9nuoTnxzLDsPWjgLyrJjr2VkYNMgjB4BcLgUWxTBBhtNJ9baFHrBJNcDUuoM7AaenYeMUY595ZbFnS/5R/giwdJMAo/k3Sc0XoFoiwtav/eB/KtoePLOkMri6jYB99gLSyc7bFVJqYBhqOHNvmAay02kpo1D0BKX0feNclTR4m7/whXqn7CnNQgPL7HvppbMvZ/nAhXVa17z+VHVbVsxqCTLBwHrYyb9tb4YrXzivW/8avlIefj3fK6v7qimBgbz0w+nJqO3iahbU/h6dIS2cUD1YEU8+JRu8b7O1yC6mLCbA7/vJT9YIkAaZTFTOkPHn141pzLgaf5DkUzQhmqJ4o3X1TYlMmNmSFXtT+mDXVo0cb/vXUrzY2ZAdZCt/BmfM/k6N3g=\-----END CERTIFICATE-----CA Certificate
Section titled “CA Certificate”\-----BEGIN CERTIFICATE-----MIIFuTCCA6GgAwIBAgIJAL5WwwGqZ1CzMA0GCSqGSIb3DQEBCwUAMHMxCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJRQzERMA8GA1UEBwwITW9udHJlYWwxEzARBgNVBAoMClVuaXRvIEluYy4xETAPBgNVBAMMCFVuaXRvLUNBMRwwGgYJKoZIhvcNAQkBFg1pbmZvQHVuaXRvLmlvMB4XDTE2MDUyMzAzMDAzNVoXDTM2MDUxODAzMDAzNVowczELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAlFDMREwDwYDVQQHDAhNb250cmVhbDETMBEGA1UECgwKVW5pdG8gSW5jLjERMA8GA1UEAwwIVW5pdG8tQ0ExHDAaBgkqhkiG9w0BCQEWDWluZm9AdW5pdG8uaW8wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC0Sfjdm/21Ax5a8257yak5w9FgVVmAe//yS0215Oj+UCr+jN/vn+SjHMRGXpia62kqyTiQOKQPxmTUaoBa0laDw51DyJt22FuLs/US+uQgRhVQll20eURC2p2sYbJC+1Ci3eGruMYhCNUjfRmsfw6bZtWMlRGl5XZCcdMLgQYthoFfc8zGKMibHNjQMZwC/4F0Hq+knyp9kSnosRoC/NHUCozIj1mIg13IoCi2QAyMdCoTBDbfEgBUcbhAWHmnTvI9iSLNEhsVdamU+kUDFimedg+Dabnn4iv3rx+nSN+1/ynxFoO3sMAE/+Ml0oAjAvdKT/u8Q/1LZDXNf1u7wYTa2WzeBrhbtEqvbfHsy2rBrhRMMUqCtDm2w0RreYeV5EY7VAzxMBkA5nze8xJzoV6rX5MuAjToPYEt28xA147/uCk/t4F2qJoN9aEgNNyiSj1L3mD90DGCHjAGHz810W3RB/ZMpzaF6OE605iSHS5eVhaBc7u894TJxvSd9Bp26FrEuclh6I6BWVOA/zyXpNZ6j+mIJf14p2YnS669YybiT/LzURXhk7NkmgNjRDkDaw2WthfuTmiT9ZOKB1Ht7jiriNY3AFhicxARi/zhCbaR5RCtftz29D8j9aYNvW4ZKeaUxfL6EBAr5qfDzzbgwkwTsVzg6fsmV0WGLyLuu90XaQIDAQABo1AwTjAdBgNVHQ4EFgQU+h+i2SGMyqxqLIL8DHv947yUiscwHwYDVR0jBBgwFoAU+h+i2SGMyqxqLIL8DHv947yUiscwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAIyyk0ZrBjitX+ypvfs8OAAnZExBnFr3HilqVZ9aq5j0fEZaZjvfw8tlXXba791lH+iaDMP1rtxn0QKv8HepXj7iVPVMCJvPNpU9j4TI8+5EQrF0eab0XwwejDQhn/cn6DlDIJzax/IHf62epyp9bA1OU4f+3Y1v/Kc0qinPuVbpaiMaad2EzOjwPs71rl5tahdJ0xkMmdBqKU5dfw4g91dTL4EW6XXXqdl0chzXv2nkdWxo5+bL1EwdBsPUjuRXvikOeMQE+HSr3ogh3shH1TJM8eEam9kKdXpNEF+Y5OFm7fWR38NyVV1rLffE0mI0mRT3Wpn6X0F0b44TiaHLdz5+llb0nxdaL090W7NNADPpxvNdgtxkjcG4syjZCOEGSB1rdG8buSnEcd0xOtGtPSg/xByARcjU3gFPhVBii8BWerOns2kCzhG1gyDf9/qSNCG7oGIQK+LVwWImfa04gZh7IScfCKGfPbD0qUAL9+K4K9zG5jiY1alNAo91l5DTSnpR1VgiIcxGxCwhOjIKR2XdGukdjW+xNHE2FWEW5bu/ByeBdmTxZIC8i9w9IKwpQd3caSeH963SZxIMAcLgUnRrE8eMZ10tnQIJZqP5RykpTq9WsE2tJBzxxBZS5/5O66eEarYQiNsy/oYx0+JvOV17f3gnhDuD7F585n7RTX6M=\-----END CERTIFICATE-----What is Mutual TLS (mTLS)?
Section titled “What is Mutual TLS (mTLS)?”mTLS, or Mutual Transport Layer Security, is a protocol used by Unito that provides an additional layer of security between a client and a server. Unlike standard TLS, which only requires the server to present a certificate, mTLS requires both the client and server to authenticate each other using certificates.
How does mTLS function in the context of Unito?
Section titled “How does mTLS function in the context of Unito?”In the context of Unito, your organization acts as its own Certificate Authority (CA), issuing and verifying certificates that correspond to a self-signed “root” TLS certificate. This allows you to verify the legitimacy of both parties involved in a data exchange, providing enhanced security against various types of attacks including on-path attacks, spoofing, credential stuffing, brute force attacks, phishing, and malicious API requests.
While mTLS is not commonly used on the entire internet due to the complexity of managing billions of certificates, it is highly practical for individual organizations, especially those employing a Zero Trust approach to network security. This approach involves authenticating every user, device, and request each time they try to access any point in the network, and mTLS plays a crucial role in making this possible. Find out more about mTLS.