Enable Mutual TLS (mTLS) Authentication in Gateway / Virtual Machine and Single Docker
Overview
Mutual TLS (mTLS) enhances security by requiring both the server and the client to authenticate each other using digital certificates. When mTLS is enabled, only clients presenting valid certificates signed by a trusted Certificate Authority (CA) can successfully establish a connection,
This guide explains how to upload a trusted CA list, apply the configuration, and enforce the mTLS policy through the asset’s Advanced Settings interface, in in Gateway / Virtual Machine and Single Docker.
Prerequisite
Ensure you have a valid CA certificate (.pem) file used to sign client certificates.
Ensure you have a Gateway / Virtual Machine or Single Docker deployment.
Instructions to Configure mTLS om
Navigate to the asset you wish to protect.
Open the Advanced Settings section.

Locate the Client SSL Verification configuration option.
Select the checkbox labeled Trusted CA list for client SSL verification.

Click Upload, then select and upload your CA certificate (.pem) file.
The uploaded CA list defines which client certificates are trusted for authentication.
Verify that the file name appears in the upload field once the upload completes.
Save and Apply Configuration
Click OK to save your changes.
Click Enforce to synchronize the updated configuration to your agents.
Once enforced, clients will be required to present valid certificates during connection attempts.
Configuring Multiple CA Certificates
If you need to trust more than one Certificate Authority, you can combine multiple CA certificates into a single .pem file.
To do this
Open a text editor.
Paste each CA certificate one after another, ensuring each retains its own
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers.
Save the combined file (for example, trusted-cas.pem), example structure:
-----BEGIN CERTIFICATE-----
(CA Certificate #1 contents)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(CA Certificate #2 contents)
-----END CERTIFICATE-----
Upload this single .pem file as your Trusted CA list.
All included CAs will be recognized as valid signing authorities for client certificates.
Last updated
Was this helpful?