> For the complete documentation index, see [llms.txt](https://waf-doc.inext.checkpoint.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://waf-doc.inext.checkpoint.com/how-to/enable-mutual-tls-mtls-authentication-in-gateway-virtual-machine-and-single-docker.md).
# Enable Mutual TLS (mTLS) Authentication in Gateway / Virtual Machine and Single Docker
### Overview
Mutual TLS (mTLS) enhances security by requiring both the server and the client to authenticate each other using digital certificates. When mTLS is enabled, only clients presenting valid certificates signed by a trusted Certificate Authority (CA) can successfully establish a connection,
This guide explains how to upload a trusted CA list, apply the configuration, and enforce the mTLS policy through the asset’s Advanced Settings interface, in in Gateway / Virtual Machine and Single Docker.
#### Prerequisite
* Ensure you have a valid CA certificate (*.pem*) file used to sign client certificates.
* Ensure you have one of the following profile types:
* Docker Agents: Single Container - CloudGuard WAF (With Reverse Proxy)
* AppSec Gateway Profile
#### Instructions to Configure mTLS on
1. Navigate to the asset you wish to protect.
2. Open the Advanced Settings section.
3. Locate the Client SSL Verification configuration option.
4. Select the checkbox labeled Trusted CA list for client SSL verification.
5. Click Upload, then select and upload your CA certificate (*.pem*) file.
6. The uploaded CA list defines which client certificates are trusted for authentication.
7. Verify that the file name appears in the upload field once the upload completes.
8. Save and Apply Configuration
9. Click OK to save your changes.
10. Click Enforce to synchronize the updated configuration to your agents.
11. Once enforced, clients will be required to present valid certificates during connection attempts.
#### Configuring Multiple CA Certificates
If you need to trust more than one Certificate Authority, you can combine multiple CA certificates into a single .pem file.
To do this
* Open a text editor.
* Paste each CA certificate one after another, ensuring each retains its own
*-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers.*
* Save the combined file (for example, trusted-cas.pem), example structure:
*-----BEGIN CERTIFICATE-----*
*(CA Certificate #1 contents)*
*-----END CERTIFICATE-----*
*-----BEGIN CERTIFICATE-----*
*(CA Certificate #2 contents)*
*-----END CERTIFICATE-----*
* Upload this single .pem file as your Trusted CA list.
* All included CAs will be recognized as valid signing authorities for client certificates.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://waf-doc.inext.checkpoint.com/how-to/enable-mutual-tls-mtls-authentication-in-gateway-virtual-machine-and-single-docker.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.