How is mTLS used in practice?

See real-world examples and code snippets on the mTLS glossary page at CDN Certified.

mTLS (mTLS)

Security

Mutual TLS. Both client and server present X.509 certificates during the TLS handshake, authenticating each other. Used between CDN edge and origin for zero-trust security, and for API client authentication.

Updated Mar 9, 2026

Full Explanation

Regular TLS is one-sided: the server proves its identity with a certificate, but the client stays anonymous. mTLS adds client certificates, so both sides verify each other. The CDN edge presents a client cert to the origin, and the origin only accepts connections from CDN nodes with valid certificates.

This is important for CDN security because it prevents attackers from bypassing the CDN and hitting the origin directly. Even if someone discovers your origin IP, they can't connect without a valid client certificate. It's a core component of zero-trust architectures.

The tradeoff is operational complexity. You need to manage certificate issuance, rotation, and revocation for all CDN edge nodes. Most CDN providers handle this internally (Cloudflare Authenticated Origin Pulls, CloudFront Origin Access Control), so you just configure your origin to require their CA.

Examples

Nginx origin requiring mTLS from CDN:

server {
    listen 443 ssl;
    server_name origin.example.com;

    ssl_certificate     /etc/ssl/server.crt;
    ssl_certificate_key /etc/ssl/server.key;

    # Require client certificate
    ssl_client_certificate /etc/ssl/cloudflare-ca.pem;
    ssl_verify_client on;

    # Reject if no valid client cert
    if ($ssl_client_verify != SUCCESS) {
        return 403;
    }
}

Testing mTLS with curl:

# Connect with client certificate
curl --cert client.crt --key client.key \
     --cacert ca.crt \
     https://origin.example.com/health

# Without client cert: connection refused
curl https://origin.example.com/health
# curl: (56) SSL peer rejected your certificate

Video Explanation

Frequently Asked Questions

Nginx origin requiring mTLS from CDN:

server {
    listen 443 ssl;
    server_name origin.example.com;

    ssl_certificate     /etc/ssl/server.crt;
    ssl_certificate_key /etc/ssl/server.key;

    # Require client certificate
    ssl_client_certificate /etc/ssl/cloudflare-ca.pem;
    ssl_verify_client on;

    # Reject if no valid client cert
    if ($ssl_client_verify != SUCCESS) {
        return 403;
    }
}

Testing mTLS with curl:

# Connect with client certificate
curl --cert client.crt --key client.key \
     --cacert ca.crt \
     https://origin.example.com/health

# Without client cert: connection refused
curl https://origin.example.com/health
# curl: (56) SSL peer rejected your certificate

Previous Term Middle Mile

Next Term Multi-CDN

Back to Glossary