search
PricingSign inRequest a Demo

Mutual TLS (mTLS)

Set up mutual TLS for Bindplane collector receivers with two-way authentication.

hashtag
What is Mutual TLS?

hashtag
Standard TLS vs Mutual TLS

Standard TLS (One-Way Authentication):

  • Client verifies server's certificate

  • Server does not verify client's identity

  • Client can be anonymous

  • Common for public web services

Mutual TLS (Two-Way Authentication):

  • Client verifies server's certificate

  • Server verifies client's certificate

  • Both parties prove their identity

  • Used in high-security environments

hashtag
Benefits of Mutual TLS

  • Strong Authentication: Cryptographic proof of client identity

  • Access Control: Only clients with valid certificates can connect

  • Zero Trust: Doesn't rely on network-level security (IP allowlists, VPNs)

  • Non-Repudiation: Client identity is cryptographically verified

hashtag
When to Use Mutual TLS

Consider using mTLS when:

  • You need to restrict which clients can send data to the collector

  • Compliance requires two-way authentication

  • You're in a zero-trust security environment

  • You want to authenticate clients by certificate rather than IP address

  • You need cryptographic proof of client identity for audit purposes

circle-info

mTLS vs IP Allowlisting

While IP allowlisting can restrict access by network location, mTLS provides stronger authentication that travels with the client, regardless of network location. This is especially valuable in cloud and containerized environments where IP addresses are dynamic.

hashtag
mTLS Configuration Options

Bindplane collectors provide two parameters for client certificate verification with different behaviors:

hashtag
Option 1: ca_file (Opportunistic Client Verification)

Behavior:

  • Client certificates are optional

  • If a client presents a certificate, it will be verified against the CA

  • Clients without certificates can still connect

  • Useful for mixed environments (some authenticated, some not)

circle-info

Technical Details

This sets the RootCAs trust pool but does not enforce client certificate requirements. See the OTel configtls documentationarrow-up-right for details on the underlying tls.Config mapping.

hashtag
Option 2: client_ca_file (Required Client Verification)

Behavior:

  • Client certificates are required

  • Connections without valid client certificates are rejected

  • Sets Go's ClientAuth to RequireAndVerifyClientCert

  • Supports automatic reloading with client_ca_file_reload

  • This is the recommended approach for enforcing mTLS

circle-check

Recommended for mTLS

Use client_ca_file when you want to enforce mutual TLS. This ensures that all clients must present valid certificates.

hashtag
Comparison Table

Feature

ca_file

client_ca_file

Client cert required

No (optional)

Yes (enforced)

Clients without certs

Allowed

Rejected

Auto-reload support

No

Yes (with client_ca_file_reload)

Use case

Mixed environments

Strict mTLS

ClientAuth mode

VerifyClientCertIfGiven

RequireAndVerifyClientCert

hashtag
Setting Up mTLS Certificates

hashtag
Server Side (Collector)

You'll need:

  1. Server certificate and key (same as basic TLS)

    • cert_file: Server certificate (can include full chain)

    • key_file: Server private key (must be unencrypted)

  2. Client CA certificate(s) to verify client certificates

    • client_ca_file: CA certificate(s) that signed the client certificates

    • Can contain multiple CA certificates (concatenated PEM)

hashtag
Client Side

Each client needs:

  1. Client certificate signed by the CA trusted by the server

  2. Client private key (must be unencrypted if using OpenTelemetry clients)

  3. Server CA certificate(s) to verify the collector's certificate

circle-exclamation

Certificate Authority Trust

The CA used to sign client certificates does NOT need to be the same CA that signed the server certificate. You can use different CAs for server and client certificates, as long as each side trusts the appropriate CA.

hashtag
PKI Infrastructure Considerations

For production mTLS deployments:

  • Use your organization's PKI infrastructure to issue certificates

  • Implement certificate lifecycle management (issuance, renewal, revocation)

  • Consider using different intermediate CAs for server and client certificates

  • Plan for certificate rotation and revocation

For testing, see Generating Test Certificates.

hashtag
Complete mTLS Configuration Examples

hashtag
TCP Receiver with mTLS

hashtag
Syslog Receiver with mTLS

hashtag
Production mTLS with Security Hardening

hashtag
Configuring mTLS in the Bindplane UI

circle-info

Important: There is no separate "Enable mTLS" checkbox in the UI for most receivers. mTLS is enabled by providing a CA certificate file.

hashtag
Step-by-Step UI Configuration

  1. Navigate to your source configuration (e.g., TCP or Syslog source)

  2. Expand the Advanced section

  3. Check "Enable TLS"

  4. Configure server certificate:

    • TLS Certificate Path: /path/to/server-fullchain.crt

    • TLS Private Key Path: /path/to/server.key

  5. Configure client verification (this enables mTLS):

    • Client CA File: /path/to/client-ca.crt

  6. Optional: Set TLS Min Version to "1.2" or higher

hashtag
UI Field Mapping

Bindplane UI Field
YAML Parameter
Purpose

Enable TLS

tls: block

Enables TLS configuration

TLS Certificate Path

cert_file

Server certificate

TLS Private Key Path

key_file

Server private key

CA File

ca_file

Optional client verification

Client CA File

client_ca_file

Enforced mTLS

TLS Min Version

min_version

Minimum TLS version

hashtag
Testing mTLS Connections

hashtag
Test with Valid Client Certificate

Expected result:

  • Connection succeeds

  • Handshake completes

  • Verify return code: 0 (ok) or appropriate verification result

hashtag
Test Rejection of Unauthorized Clients

When using client_ca_file, test that connections without client certificates are rejected:

Expected result:

  • Connection rejected

  • Error message: "certificate required" or "handshake failure"

hashtag
Verify Client Certificate Details

For more testing commands, see Testing and Verification.

hashtag
mTLS Troubleshooting

hashtag
Issue: Client Certificate Required Errors

Symptoms:

  • Clients receive "certificate required" or "handshake failure" errors

  • Connections are rejected during TLS handshake

Cause: Client is not presenting a valid certificate when client_ca_file is configured.

Solution:

  1. Verify the client is presenting a certificate:

  2. Ensure the client certificate is signed by the CA specified in client_ca_file:

  3. Check that the client certificate hasn't expired:

hashtag
Issue: Client Certificate Verification Fails

Symptoms:

  • Client presents a certificate but connection is still rejected

  • Error: "bad certificate" or "unknown ca"

Cause: Client CA file doesn't match the CA that signed the client certificate.

Solution:

  1. Check that client_ca_file contains the CA that signed the client certificate

  2. If using intermediate CAs, ensure the full chain is included

  3. Verify the certificate chain:

hashtag
Issue: Connections Accepted Without Client Certificates

Symptoms:

  • Clients without certificates can still connect

  • mTLS is not being enforced

Cause: Using ca_file instead of client_ca_file.

Solution:

  1. Verify you're using client_ca_file (not just ca_file)

  2. ca_file alone does not enforce mTLS - it only provides optional verification

  3. client_ca_file sets ClientAuth to RequireAndVerifyClientCert

Correct configuration:

hashtag
Issue: Client CA Changes Not Taking Effect

Cause: Not using client_ca_file_reload or collector needs restart.

Solution:

Enable automatic CA file reloading:

Or restart the collector after updating the CA file.

PreviousTLS Configuration GuideNextEncrypting Traffic Between Collectors and Gateways

Last updated

Was this helpful?