1 min read

OAuth2 mTLS Client Authentication

Learn how to configure Cloudentity so that it verifies client application's root certificates instead of the system root certificates in case the mTLS client authentication method is enabled.

About Certificates in mTLS

If your application is configured to use mutual Transport Layer Security (mTLS), you can add trusted client certificates that are verified by Cloudentity when the TLS handshake happens. If you add a trusted client certificate, Cloudentity trusts any certificates issued by that particular Certificate Authority (CA). Then, Cloudentity only verifies if the certificate had not expired prior to the TLS handshake and that the certificate is signed by the CA that your workspace (authorization server) is configured to recognize.

If you add your own client certificates, they are used instead of system root certificates that can be found in your Cloudentity’s configuration files.

Enable Root CAs

  1. In your workspace, go to Auth Settings > OAuth > Client Authentication.

  2. Navigate to the Trusted client certificates section.

  3. Enter a PEM-encoded root CA certificate into the Root CAs field and select Save changes.


For client applications with the tls_client_auth method enabled, root CA certificates are used instead of system root certificates.

Updated: Jul 11, 2022