Introduction

mTLS is a mutual authentication protocol where two parties (the client and the server) authenticate each other at the same time. For TLS, this is an optional step. Typically the server will prove its identity to the client via certificates, while the client authentication is delegated to the application layer. In summary: it is rarely used in end-user applications. It is more targeted towards B2B-applications, where only a limited number of clients are connecting to a service. This makes the operational burden manageable while greatly enhancing its security, which are often a key concern in such systems.

If you have to meet high security requirements when connecting yourselves to our services, mTLS is certainly an option to consider. In this guide, we will walk you through the required steps.

🚧
The only available port for mTLS is 8443

Certificate requirements

If you are going to call our services we will require an OV certificate from a trusted authority
When we will call your services, our certificate will be a QWAC certificate

How to get started

If you want to call our services, look here
If you want us to call your services, look here

General troubleshooting

Certificate Issues

# Verify certificate is valid
openssl x509 -in server-bundle.crt -text -noout

# Check certificate expiration
openssl x509 -in server-bundle.crt -noout -enddate

# Test SSL connection
openssl s_client -connect webhook.yourcompany.com:8443 -servername webhook.yourcompany.com

Common Problems

Issue	Solution
"x509: certificate signed by unknown authority"	Ensure you're using the bundled certificate with intermediate CA
"tls: private key does not match public key"	Regenerate CSR with the correct private key
Connection refused	Check firewall rules for port 8443
Certificate name mismatch	Ensure CN in certificate matches your domain