About Certificates in mTLS
If your application is configured to use mutual Transport Layer Security (mTLS), you can add trusted client certificates that are verified by Cloudentity when the TLS handshake happens. If you add a trusted client certificate, Cloudentity trusts any certificates issued by that particular Certificate Authority (CA). Then, Cloudentity only verifies if the certificate had not expired prior to the TLS handshake and that the certificate is signed by the CA that your workspace (authorization server) is configured to recognize.
If you add your own client certificates, they are used instead of system root certificates that can be found in your Cloudentity’s configuration files.
Enable Root CAs
In your workspace, go to Auth Settings > OAuth > Client Authentication.
Navigate to the Trusted client certificates section.
Enter a PEM-encoded root CA certificate into the Root CAs field and select Save changes.
For client applications with the tls_client_auth method enabled, root CA certificates are used instead of system root certificates.