Enable Mutual TLS (mTLS) Authentication in Gateway / Virtual Machine and Single Docker

Overview

Mutual TLS (mTLS) enhances security by requiring both the server and the client to authenticate each other using digital certificates. When mTLS is enabled, only clients presenting valid certificates signed by a trusted Certificate Authority (CA) can successfully establish a connection,

This guide explains how to upload a trusted CA list, apply the configuration, and enforce the mTLS policy through the asset’s Advanced Settings interface, in in Gateway / Virtual Machine and Single Docker.

Prerequisite

  • Ensure you have a valid CA certificate (.pem) file used to sign client certificates.

  • Ensure you have one of the following profile types:

    • Docker Agents: Single Container - CloudGuard WAF (With Reverse Proxy)

    • AppSec Gateway Profile

Instructions to Configure mTLS on

  1. Navigate to the asset you wish to protect.

  2. Open the Advanced Settings section.

  1. Locate the Client SSL Verification configuration option.

  2. Select the checkbox labeled Trusted CA list for client SSL verification.

  1. Click Upload, then select and upload your CA certificate (.pem) file.

  2. The uploaded CA list defines which client certificates are trusted for authentication.

  3. Verify that the file name appears in the upload field once the upload completes.

  4. Save and Apply Configuration

  5. Click OK to save your changes.

  6. Click Enforce to synchronize the updated configuration to your agents.

  7. Once enforced, clients will be required to present valid certificates during connection attempts.

Configuring Multiple CA Certificates

If you need to trust more than one Certificate Authority, you can combine multiple CA certificates into a single .pem file.

To do this

  • Open a text editor.

  • Paste each CA certificate one after another, ensuring each retains its own

-----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers.

  • Save the combined file (for example, trusted-cas.pem), example structure:

-----BEGIN CERTIFICATE-----

(CA Certificate #1 contents)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(CA Certificate #2 contents)

-----END CERTIFICATE-----

  • Upload this single .pem file as your Trusted CA list.

  • All included CAs will be recognized as valid signing authorities for client certificates.

PreviousIntegrate CloudGuard WAF with PrometheusNextWAF Gateway / Virtual Machine

Last updated

Was this helpful?