πŸ” mTLS Handshake

Mutual TLS β€” step-by-step, with every key usage explained

Private Key (secret, never leaves owner)
Public Certificate (shared openly)
CA / Trust (certificate authority)
Session Key (derived, symmetric)

πŸ’» Client

πŸ”‘
Client Private Key
Signs CertificateVerify
πŸ“œ
Client Certificate
Contains client public key, signed by CA
πŸ›οΈ
Trusted CA Store
Verifies server certificate
⚑
Session Key
Derived from handshake material

πŸ–₯️ Server

πŸ”‘
Server Private Key
Signs DH params / decrypts premaster
πŸ“œ
Server Certificate
Contains server public key, signed by CA
πŸ›οΈ
Trusted CA Store
Verifies client certificate
⚑
Session Key
Derived from handshake material
← Click Next Step to start the handshake β†’
INTRO What is mTLS?

In regular TLS, only the server proves its identity to the client. The client just trusts whoever has a valid certificate.

In mTLS (Mutual TLS), both sides authenticate: the server proves itself to the client AND the client proves itself to the server. This is used in zero-trust networks, API gateways, microservices, and banking systems.

πŸ” No keys used yet
0 / 12

πŸ—οΈ Key Usage Summary

πŸ”‘

Server Private Key

Used to sign the ServerKeyExchange (DH params) proving the server owns the certificate.

πŸ“œ

Server Public Key

Shared via certificate. Client uses it to verify the signature on ServerKeyExchange.

πŸ”‘

Client Private Key

Used to sign the CertificateVerify message, proving the client owns its certificate.

πŸ“œ

Client Public Key

Shared via certificate. Server uses it to verify the signature on CertificateVerify.

πŸ›οΈ

CA Public Key

Both sides use CA public keys to verify certificate signatures. Stored in trust stores.

⚑

Session Keys

Symmetric keys derived from both random values + DH shared secret. Never transmitted directly.