Mutual TLS authentication

reference

The Mender Gateway and Mutual TLS (mTLS) authentication, is only available in the Mender Enterprise plan. To access the Mender Gateway container, please contact support. In the message, please mention that you are requesting "Access to the Mender Gateway".

Mutual TLS was previously supported by the mtls-ambassador server component - which has been replaced by mender-gateway. Please see the migration guide for steps on how to migrate from mtls-ambassador to mender-gateway.

Mender supports setting up a reverse proxy at the edge of the network, which can authenticate devices using TLS client certificates. Each client presents a certificate signed by a Certificate Auhtority (CA) and the edge proxy authenticates devices by verifying this signature. Authenticated devices are automatically authorized in the Mender backend and do not need manual approval or preauthorization.

This is particularly useful in a mass production setting because you can sign client certificates during the manufacturing process, so they automatically get accepted into the Mender Server when your customer turns them on (which might happen several months after manufacturing).

See Device Authentication for a general overview of how device authentication works in Mender.

If you are unfamiliar with the mTLS flow, please take a look at the flow diagram and also read about the keys involved.

After it is suggested that you complete the evaluation with docker-compose. It will lead you to a working example with a simple server setup and a client.

Once you have made the choices regarding Public Key Infrastructure (PKI) and have the client ready, check the production installation with Kubernetes which focuses only on how to set up the mTLS proxy server for production.

We welcome contributions to improve this documentation. To submit a change, use the Edit link at the top of the page or email us at .