mTLS for Edge Node to Origins ¶

Mutual TLS (mTLS) allows the Wallarm Edge Node to authenticate itself to your origin servers using a client certificate. This ensures that your origins accept requests only from trusted sources.

When configuring Security Edge, you can generate and upload client certificates for the Edge Nodes.

How it works¶

When mTLS is enabled for an origin:

1. Before forwarding filtered traffic to your origin, the Edge Node presents a client certificate during the TLS handshake.

2. The origin verifies the certificate against a trusted CA (Certificate Authority) bundle.

3. If the certificate is valid and matches the expected parameters (e.g., Common Name or Subject Alternative Name), the connection is established and the request is accepted.

Enabling mTLS¶

You can upload multiple certificates and assign different ones to different origins.

1. Generate a client certificate and private key pair, signed by a trusted CA. They must meet the following requirements:

   • Client certificate: X.509, PEM format.

     Must include the Extended Key Usage (EKU) extension set to Client Authentication.

   • Private key: PEM format, must correspond to the client certificate.

   • CA bundle: PEM format, must include the issuing certificate authority for the client certificate.

2. In Wallarm Console → Security Edge → Configure, under General settings, upload the certificate, private key, and CA bundle.

3. In the Origins section, enable Require mTLS from Edge Node for the relevant origin and select the appropriate certificate.

   Each origin can use a different certificate if needed.

4. Save the settings.

5. Configure your origin to require mTLS for incoming connections. Trust the CA bundle used to issue the client certificate.

Was this page helpful?

How can we improve this article? (Optional)

Information is unclear or confusing

Insufficient information

Outdated or incorrect information

0/240

Send