Airlock as a Service Knowledge Base
API Reference Service Status Airlock Console
airlock.com

Configure mTLS integration

Configure mTLS

Notice
This How-to guide refers to ALSAASPM-N-195 where you also find an overview of the differences between TLS and mTLS.

Certificates

Signed Server Certificate

  • Server certificate: Used in the tenant mTLS settings

  • CAs for server certificate: Used in the GW backend group SSL settings

Use the following values:
Country Name (2 letter code) [AU]:#####
State or Province Name (full name) [Some-State]:#####
Locality Name (eg, city) []:#####
Organization Name (eg, company) [Internet Widgits Pty Ltd]:#####
Organizational Unit Name (eg, section) []:#####
Common Name (e.g. server FQDN or YOUR name) []:login-<tenantId>.airlock.cloud
Email Address []:#####

// Create private key and CSR
openssl req -newkey rsa:2048 -nodes -keyout server.key -out server.csr

// Create Root CA
openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 -keyout server-rootCA.key -out server-rootCA.crt

// Create config file "server.ext" for signing with the following content:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = login-<tenantId>.airlock.cloud


// Sign server certificate
openssl x509 -req -CA server-rootCA.crt -CAkey server-rootCA.key -in server.csr -out server.crt -days 365 -CAcreateserial -extfile server.ext

// View signed server certificate
openssl x509 -text -noout -in server.crt

Signed Client Certificate

  • Client certificate with a matching SAN: Used in the GW backend group SSL settings

  • CAs for client certificate: -> Used in the tenant mTLS settings

Use the following values:
Country Name (2 letter code) [AU]:#####
State or Province Name (full name) [Some-State]:#####
Locality Name (eg, city) []:#####
Organization Name (eg, company) [Internet Widgits Pty Ltd]:#####
Organizational Unit Name (eg, section) []:#####
Common Name (e.g. server FQDN or YOUR name) []:<gateway.com>
Email Address []:#####

// Create private key and CSR
openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr 

// Create Root CA
openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 -keyout client-rootCA.key -out client-rootCA.crt

// Create config file "client.ext" for signing with the following content:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
subjectAltName = @alt_names
[alt_names]
DNS.1 = <gateway.com>

// Sign client certificate
openssl x509 -req -CA client-rootCA.crt -CAkey client-rootCA.key -in client.csr -out client.crt -days 365 -CAcreateserial -extfile client.ext

// View signed client certificate
openssl x509 -text -noout -in client.crt

Applying certificates in an Airlock SaaS tenant