---
title: mTLS Configuration
category: product
entity_type: skill
price: $15
canonical: https://forgehouse.ai/skills/mtls-configuration/
lang: en
hreflang_alt: https://forgehouse.ai/tr/skiller/mtls-configuration/
last_updated: 2026-06-20
---

# mTLS Configuration

> Configure mutual TLS (mTLS) for zero-trust service-to-service communication.

A hands-on guide to configuring mutual TLS for zero-trust service-to-service communication. It covers certificate hierarchy, automated rotation, and identity-based authorization with ready-to-apply templates for Istio, Linkerd, cert-manager, and SPIFFE/SPIRE, so internal traffic is encrypted and verified on both ends.

## Use cases
- Enforcing strict mutual TLS across a service mesh and migrating safely from permissive mode
- Setting up short-lived workload certificates with automatic rotation
- Debugging failed TLS handshakes step by step from cert expiry to chain trust
- Securing cross-cluster and multi-cloud communication with federated trust
- Meeting compliance requirements for encrypted internal communication
- Assigning platform-agnostic workload identities with SPIFFE and SPIRE

## Benefits
- Shut down lateral-movement attacks by verifying every internal connection
- Prevent silent service outages from expired certificates through automated rotation
- Contain the blast radius of a compromise with a layered CA hierarchy
- Cut handshake failures to zero with a fail-secure, deny-by-default posture

## What’s included
- Istio PeerAuthentication and DestinationRule templates for strict and mutual modes
- cert-manager certificate configs with short duration and renew-before windows
- SPIFFE/SPIRE setup for identity-based authorization across clusters
- Linkerd automatic-mTLS verification and external-service handling
- A handshake-lifecycle debugging sequence for cert and cipher failures
- Certificate-rotation commands and a do/don't operational checklist

## Who it’s for
Platform and security engineers implementing zero-trust networking and certificate management across Kubernetes service meshes.

## How it runs
In a zero-trust mesh, every service proves who it is on every call. Certificates rotate in hours, not quarters, and this wiring treats manual renewal as a scheduled outage.
1. Sets the policy posture first: Istio PeerAuthentication STRICT mesh-wide, with PERMISSIVE allowed only as a dated migration window for legacy namespaces, plus port-level exceptions (a metrics port can be explicitly excluded).
2. Configures both directions of trust: DestinationRule ISTIO_MUTUAL inside the mesh, SIMPLE or MUTUAL with explicit client cert, key and CA paths for external partners, so outbound trust is as deliberate as inbound.
3. Automates certificate life with cert-manager: workload certs at 24-hour duration with 8-hour renewBefore, correct SAN list and both server auth and client auth usages; manual rotation is treated as a future outage.
4. Builds the CA hierarchy for blast radius: offline root CA, per-cluster intermediate CAs, so a compromised cluster CA revokes one cluster's certs without touching the rest; SPIFFE/SPIRE identities are added for multi-cluster federation.
5. Verifies instead of trusting: istioctl authn tls-check per service, proxy-config secret decoded through openssl to read real expiry dates, linkerd viz edges where Linkerd carries the mTLS.
6. Debugs handshake failures along the lifecycle order: TLS version mismatch, then CA trust chain, then SAN mismatch or expired cert, then cipher negotiation, each with its own check, so the failure point is located instead of guessed.

## FAQ
### We run Linkerd, not Istio. Am I covered?
Both meshes are covered: Istio gets PeerAuthentication and DestinationRule templates for strict and mutual modes, Linkerd gets automatic-mTLS verification and external-service handling. The cert-manager and SPIFFE/SPIRE setups apply regardless of mesh.

### How do we stop expired certificates from silently taking services down?
Certificates are issued short-lived with renew-before windows in the cert-manager configs, so rotation happens automatically well before expiry. The rotation commands and the do/don't checklist cover the operational side, and the handshake-debugging sequence catches what still slips through.

### Does it handle user-facing TLS, like browsers hitting our public site?
No. The scope is zero-trust service-to-service traffic inside and across clusters. Public edge TLS, CDN certificates, and browser-facing termination are a different problem with different tooling.

## Price
$15, one-time, no subscription. VAT included.

Related guide: [How to run a marketing agency with AI automation](https://forgehouse.ai/guides/ai-marketing-agency-automation/)