Implementing Mutual TLS (mTLS) Authentication with OpenSSL: A Step-by-Step Guide

This article explores mutual Transport Layer Security (mTLS) authentication and how OpenSSL can facilitate its implementation. Also known as client-server authentication, mTLS is a robust security mechanism that requires both the client and server to present valid digital certificates before establishing a secure connection. This additional layer of authentication ensures that only trusted entities can access protected resources.

We will set up mutual TLS (mTLS) using two intermediate CAs—one for server certificates and another for client certificates—both signed by the same root CA.


Steps Overview:

1. Create Root CA
2. Create Two Intermediate CAs (one for server, one for client)
3. Generate Server Certificate (signed by Server Intermediate CA)
4. Generate Client Certificate (signed by Client Intermediate CA)
5. Start OpenSSL Server with mTLS
6. Test with curl

Step 1: Create the Root CA
A Root Certificate Authority (Root CA) is the top-level trust anchor in a Public Key Infrastructure (PKI) that issues and signs digital certificates. It is self-signed and is used to verify and establish trust in all certificates issued under it.
First commmand generate the private key as a file rootCA.key and second will creates a self-signed Root CA certificate (rootCA.crt) valid for 10 years.

openssl genrsa -out rootCA.key 4096 
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -subj "/C=US/ST=State/L=City/O=RootCA/OU=IT/CN=root-ca"  

🔹 genrsa → Generates a RSA private key.
🔹 -out rootCA.key → Saves the key as rootCA.key.
🔹 4096 → Specifies the key size (4096 bits) for strong security.
🔹 req → Runs OpenSSL’s Certificate Signing Request (CSR) command.
🔹 -x509 → Creates a self-signed certificate instead of a CSR.
🔹 -new → Generates a new certificate request.
🔹 -nodes → No password protection on the private key (useful for automation).
🔹 -key rootCA.key → Uses the previously generated private key.
🔹 -sha256 → Uses SHA-256 as the hashing algorithm for the signature.
🔹 -days 3650 → Sets the certificate’s validity period to 3650 days (10 years).
🔹 -out rootCA.crt → Saves the Root CA certificate as rootCA.crt.
🔹 -subj “/C=US/ST=State/L=City/O=RootCA/OU=IT/CN=root-ca”
/C=US → Country (US)
/ST=State → State name
/L=City → City name
/O=RootCA → Organization (Root CA)
/OU=IT → Organizational Unit (IT)
/CN=root-ca → Common Name (Root CA’s name)

Step 2: Create Two Intermediate CAs
creates a Server Intermediate Certificate Authority (CA) that is signed by the Root CA.
Server Intermediate CA

openssl genrsa -out server-intermediateCA.key 4096
openssl req -new -key server-intermediateCA.key -out server-intermediateCA.csr -subj "/C=US/ST=State/L=City/O=ServerCA/OU=IT/CN=server-intermediate-ca"
openssl x509 -req -in server-intermediateCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server-intermediateCA.crt -days 3650 -sha256

First, This private key will be used to sign server certificates issued by this intermediate CA.
Second, This step generates a CSR that will be signed by the Root CA.
Third, This step creates a Server Intermediate CA certificate, signed by the Root CA.
🔹 server-intermediateCA.key → Private key for the Server Intermediate CA.
🔹 server-intermediateCA.csr > → CSR for the Server Intermediate CA.
🔹 server-intermediateCA.crt > → Intermediate CA certificate signed by the Root CA.
🔹 rootCA.srl > → Serial number file for tracking issued certificates.

Client Intermediate CA
Creates a Client Intermediate Certificate Authority (CA) that is signed by the Root CA.

openssl genrsa -out client-intermediateCA.key 4096
openssl req -new -key client-intermediateCA.key -out client-intermediateCA.csr -subj "/C=US/ST=State/L=City/O=ClientCA/OU=IT/CN=client-intermediate-ca"
openssl x509 -req -in client-intermediateCA.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out client-intermediateCA.crt -days 3650 -sha256

🔹 client-intermediateCA.key → Private key for the Client Intermediate CA.
🔹 client-intermediateCA.csr > → CSR for the Client Intermediate CA.
🔹 client-intermediateCA.crt > → Intermediate CA certificate signed by the Root CA.
🔹 rootCA.srl > → Serial number file for tracking issued certificates.

Step 3: Generate Server Certificate (Signed by Server Intermediate CA)
Generates a server certificate signed by the Server Intermediate Certificate Authority (CA).

openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -subj "/C=US/ST=State/L=City/O=MyServer/OU=IT/CN=server.local"
openssl x509 -req -in server.csr -CA server-intermediateCA.crt -CAkey server-intermediateCA.key -CAcreateserial -out server.crt -days 3650 -sha256

Server Certificate Chain:

Root CA
  ├── Server Intermediate CA
       ├── Server Certificate (server.crt)

Step 4: Generate Client Certificate (Signed by Client Intermediate CA)
Generates a client certificate signed by the Client Intermediate Certificate Authority (CA).

openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr -subj "/C=US/ST=State/L=City/O=MyClient/OU=IT/CN=client.local"
openssl x509 -req -in client.csr -CA client-intermediateCA.crt -CAkey client-intermediateCA.key -CAcreateserial -out client.crt -days 3650 -sha256

Client Certificate Chain:

Root CA
  ├── Client Intermediate CA
       ├── Client Certificate (client.crt)

Create CA bundle: Concating both Intermediate certs and root CA into a single file.

cat server-intermediateCA.crt client-intermediateCA.crt rootCA.crt > ca-bundle.crt

Verify certificates:

openssl verify -CAfile full-chain.crt server.crt
server.crt: OK

openssl verify -CAfile full-chain.crt client.crt
client.crt: OK

The output of these commands indicates that both server.crt and client.crt are valid and properly signed by a Certificate Authority (CA).

Step 5: Start OpenSSL Server with mTLS

Run the server, requiring client authentication:

openssl s_server -accept 8443 -cert server.crt -key server.key -CAfile ca-bundle.crt -Verify 2

🔹 s_server → Starts an SSL/TLS server.
🔹 -accept 8443 → The server listens on port 8443 for incoming TLS connections.
🔹 -cert server.crt → Uses server.crt as the server’s certificate.
🔹 -key server.key → Uses server.key as the private key for the server.
🔹 -CAfile ca-bundle.crt → Specifies a file containing trusted CA certificates (intermediate + root CAs) to verify client certificates.
🔹 -Verify 2 → Requires mutual TLS (mTLS), meaning: The server will request a client certificate. The depth 2 means it will accept client certificates issued up to 2 levels deep in the CA hierarchy (e.g., Root CA → Intermediate CA → Client Certificate).

Step 6: Test with curl

Use curl with client authentication:

curl -v --cert client.crt --key client.key --cacert ca-bundle.crt https://server.local:8443

🔹 -v → Enables verbose mode, showing detailed SSL handshake and request/response details.
🔹 –cert client.crt → Specifies the client certificate to authenticate with the server.
🔹 –key client.key → Specifies the private key for the client certificate.
🔹 –cacert ca-bundle.crt → Specifies the trusted CA certificate bundle to verify the server’s certificate.
🔹 https://server.local:8443 → The target URL of the server, using HTTPS on port 8443.

openssl s_server -accept 8443 -cert server.crt -key server.key -CAfile full-chain.crt -Verify 2

verify depth is 2, must return a certificate
Using auto DH parameters
ACCEPT

depth=2 C = US, ST = State, L = City, O = RootCA, OU = IT, CN = root-ca
verify return:1
depth=1 C = US, ST = State, L = City, O = ClientCA, OU = IT, CN = client-intermediate-ca
verify return:1
depth=0 C = US, ST = State, L = City, O = MyClient, OU = IT, CN = client.local
verify return:1
Write BLOCK
GET / HTTP/1.1
Host: server.local:8443
User-Agent: curl/8.7.1
Accept: */*

DONE
shutting down SSL
CONNECTION CLOSED
ACCEPT

First, Server verified the Root CA (which issued the intermediate CA). The server verified the Client Intermediate CA. The client’s certificate was issued by this intermediate CA.And, verify return:1 means verification was successful.

curl -v --cert client.crt --key client.key --cacert full-chain.crt https://server.local:8443

* Host server.local:8443 was resolved.
* IPv6: (none)
* IPv4: 127.0.0.1
*   Trying 127.0.0.1:8443...
* Connected to server.local (127.0.0.1) port 8443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: full-chain.crt
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Request CERT (13):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Certificate (11):
* (304) (OUT), TLS handshake, CERT verify (15):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=US; ST=State; L=City; O=MyServer; OU=IT; CN=server.local
*  start date: Mar 10 17:18:54 2025 GMT
*  expire date: Mar  8 17:18:54 2035 GMT
*  common name: server.local (matched)
*  issuer: C=US; ST=State; L=City; O=ServerCA; OU=IT; CN=server-intermediate-ca
*  SSL certificate verify ok.
* using HTTP/1.x
> GET / HTTP/1.1
> Host: server.local:8443
> User-Agent: curl/8.7.1
> Accept: */*
>
* Request completely sent off

Curl command successfully established a mutual TLS (mTLS) connection with the server. mTLS was successfully established. The server authenticated itself to the client.The client authenticated itself to the server.A secure session was created, and data exchange began.