How does mTLS differ from standard TLS?

In standard TLS, only the server presents a certificate to prove its identity -- the client verifies the server but the server does not verify the client. In mTLS (mutual TLS), both parties present certificates and verify each other. This two-way authentication ensures that only authorized clients can connect to the service, and clients can be certain they are communicating with the legitimate service. For EUDI Wallet infrastructure, this prevents unauthorized services from accessing internal APIs or impersonating trusted components.

Where is mTLS used in EUDI Wallet infrastructure?

mTLS is used in several EUDI Wallet contexts: between backend microservices (ensuring only authorized services communicate with each other), between wallet apps and issuer endpoints during credential issuance (proving the wallet instance is legitimate), between issuers and the trust registry (securing trust chain queries), and within Kubernetes clusters via service meshes like Istio. It is also used for OAuth 2.0 client authentication using the "tls_client_auth" method defined in RFC 8705.

How do service meshes implement mTLS for EUDI Wallet backends?

Service meshes like Istio or Linkerd inject sidecar proxies alongside each microservice container. These proxies automatically handle mTLS between services: they generate and rotate certificates, encrypt all inter-service traffic, and verify peer identities -- all without requiring any code changes in the application services themselves. This "transparent mTLS" approach allows EUDI Wallet developers to focus on business logic while the infrastructure handles secure communication automatically.

mTLS (Mutual TLS) - EUDI Wallet Glossary

mTLS

security

Full Name: Mutual TLS

Definition

Mutual TLS (mTLS), also known as two-way TLS or client certificate authentication, is an extension of the standard TLS protocol where both the client and the server authenticate each other using X.509 certificates during the TLS handshake. While standard TLS only requires the server to present a certificate (proving the website is who it claims to be), mTLS requires the client to also present a certificate, enabling the server to verify the client's identity. In the EUDI Wallet ecosystem, mTLS is a fundamental security mechanism used to protect inter-service communication within backend infrastructure, authenticate wallet instances during credential issuance, and secure communications between trust framework components.

How mTLS Works: The Handshake Process

The mTLS handshake extends the standard TLS handshake with additional certificate exchange steps. First, the client connects to the server, and the server presents its certificate. The client verifies the server's certificate against its trusted certificate authority (CA) list, as in standard TLS. Then, the server requests the client's certificate. The client presents its certificate, and the server verifies it against its own trusted CA list. Only if both verifications succeed does the encrypted connection proceed.

This two-way verification provides several security guarantees beyond standard TLS. The server knows with cryptographic certainty which client is connecting, not just that some client is connecting. The client knows it is communicating with the legitimate server. Both parties can be confident that no man-in-the-middle attacker has intercepted the connection, because such an attacker would not possess the private key for either certificate.

For EUDI Wallet infrastructure, certificate management is typically automated through certificate authorities operated as part of the trust framework. Each microservice receives its own certificate identifying its role and authorized access level. These certificates are short-lived (hours to days) and automatically rotated to minimize the impact of any certificate compromise.

The key rotation of mTLS certificates is automated in modern deployments through tools like cert-manager in Kubernetes or built-in certificate management in service meshes. This ensures that even if a certificate is compromised, its useful lifetime is extremely limited.

mTLS in EUDI Wallet Backend Infrastructure

Within EUDI Wallet backend deployments, mTLS serves as the primary mechanism for zero-trust networking. In a zero-trust architecture, no service is trusted by default based on network location -- every service must prove its identity for every connection. mTLS provides this proof through certificate-based mutual authentication.

Service mesh technologies like Istio, Linkerd, or Consul Connect implement mTLS transparently for all service-to-service communication within a Kubernetes cluster. Sidecar proxy containers are injected alongside each application container, automatically handling certificate management, TLS termination, and peer verification. The application code itself does not need any modification to benefit from mTLS protection.

This transparent mTLS approach is particularly valuable for EUDI Wallet infrastructure because it ensures that sensitive identity data flowing between services (credential attributes, signing key references, revocation status) is always encrypted and authenticated, regardless of whether individual service developers remembered to implement security measures in their code.

Network policies combined with mTLS provide defense in depth. Even if an attacker compromises one service and obtains its mTLS certificate, Kubernetes network policies prevent that service from communicating with services it is not authorized to access. The compromised credential issuance service cannot reach the audit logging system because network policies block the connection, regardless of the certificate it presents.

mTLS for OAuth 2.0 Client Authentication

RFC 8705 defines how mTLS can be used for OAuth 2.0 client authentication, replacing traditional client secrets with certificate-based authentication. In the EUDI Wallet ecosystem, this is used when wallet instances authenticate to authorization servers during the OpenID4VCI credential issuance flow.

When a wallet app requests a credential, it establishes an mTLS connection to the issuer's authorization server. The wallet presents a client certificate that proves its identity as a legitimate, attested wallet instance. The authorization server verifies this certificate against the trusted wallet provider CAs in the EUDI trust framework. This is more secure than client secret authentication because the private key never leaves the device (and ideally is stored in hardware-backed secure storage).

Certificate-bound access tokens (RFC 8705 Section 3) further strengthen this by binding the issued access token to the client's TLS certificate. Even if the access token is intercepted, it cannot be used from a different TLS connection because the server will verify that the presenting client's certificate matches the certificate hash embedded in the token. This prevents token theft and relay attacks.

What is mTLS?

mTLS: Mutual TLS

mTLS

Definition

How mTLS Works: The Handshake Process

mTLS in EUDI Wallet Backend Infrastructure

mTLS for OAuth 2.0 Client Authentication

Related Terms

Kubernetes

Microservices

Frequently Asked Questions

Verwandte Leitfäden

→ Glossary Index

→ Kubernetes

→ Microservices

→ OAuth 2.0

Quellen

⚠️ Independent Information