Skip to main content

Mutual TLS

Introduction to Mutual TLS

Mutual TLS (mTLS) is a robust security protocol designed to authenticate both parties in a connection—the client and the server—by exchanging and validating digital certificates. This two-way authentication enhances security, ensuring that both the client and server are verified and trusted. It extends the traditional TLS (Transport Layer Security) protocol, where only the server is authenticated.

When connecting with mTLS:

  • Both the server and the client must present valid certificates.
  • Trust is established bilaterally, making it a preferred choice for secure API communication, microservices interaction, and high-security environments.
  • With Beeceptor's mock server, mutual TLS ensures that only authorized clients can access your endpoints, providing an additional layer of security against unauthorized access or impersonation.

Beeceptor's Mutual TLS Feature

Beeceptor's mock server supports mTLS, enabling secure interactions between clients and server endpoints. This feature is available for users subscribed to the Team plan and above and can be easily configured through the Beeceptor dashboard.

Key Features:

  • Certificate Management: Beeceptor generates signed certificates for clients to use during the handshake.
  • Flexible and Strict Modes: Supports both flexible and strict mTLS options for different levels of security.
  • Seamless Integration: Backward compatibility ensures your endpoints work with or without mTLS enabled.

When MTLS is enabled

Configuring Mutual TLS on Beeceptor

To set up Mutual TLS (mTLS) for your endpoint, follow these steps:

  1. Go to the Your Endpoints > Endpoint Settings page from the user menu.

  2. Scroll down to the Mutual TLS section and enable it.

  3. After enabling mTLS, provide a name for key generation.

  4. Beeceptor will automatically generate the required credentials, which include:

    • Signed certificate
    • Private key

    Certificates created here are valid for one year, ensuring secure and reliable communication during this period.

how to enable mutual-tls

Endpoint Selection

When you enable Mutual TLS on Beeceptor, the system creates additional subdomains for your mock server to accommodate different levels of security. These endpoints allow flexibility in how clients connect to the mock server, catering to both mTLS-enabled and standard TLS-based connections.

Below are the three types of endpoints available when mTLS is activated:

1. Standard SSL Access

The first type of endpoint supports standard TLS connections and is accessible at a subdomain like:

https://<your-endpoint>.proxy.beeceptor.com/

This endpoint does not enforce mTLS. It operates using standard SSL/TLS, which means that the client can connect without presenting a certificate. This option is ideal for cases where you want to allow open access to the endpoint or for backward compatibility with clients that do not support mTLS. While it provides basic encryption and server authentication, it does not verify the client’s identity.

2. Flexible Mutual TLS

The second endpoint offers flexibility, supporting connections with or without mutual TLS. It is available at:

https://<your-endpoint>.mtls.beeceptor.com/

This endpoint is designed for scenarios where you need to gradually introduce mTLS into your workflow. Here's how it behaves:

  • If the client provides a valid certificate signed by Beeceptor, the server validates the certificate, and the connection is established securely using mTLS.
  • If an invalid or unsigned certificate is provided, the connection is rejected to prevent unauthorized access.
  • If no certificate is presented, the server defaults to a standard TLS connection, providing open access like the Standard SSL Access endpoint.

This mode is especially useful for transitioning systems or testing environments where not all clients are configured for mTLS but may need to adopt it over time.

3. Strict Mutual TLS

The strict mTLS endpoint enforces mandatory client authentication and ensures that only authorized clients with valid Beeceptor-signed certificates can connect. It is accessible via:

https://<your-endpoint>.rmtls.beeceptor.com/

With strict mTLS, every connection attempt is validated. If the client does not present a certificate, or if the certificate is invalid or unsigned by Beeceptor, the connection is immediately rejected. This endpoint is designed for high-security scenarios where you need to guarantee that only trusted and authenticated clients can access your service.

Strict mTLS is particularly suited for securing sensitive APIs, internal microservices communication, or integrations with third-party systems that require stringent security measures.