FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    How to implement mutual TLS (mTLS) with FusionAuth — best practices and real-world solutions?

    Scheduled Pinned Locked Moved
    General Discussion
    3
    3
    70
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ehallpassofficial Banned
      last edited by

      Hello FusionAuth community,

      1. Background:
        I’m currently using FusionAuth (self-hosted / cloud) and I need to implement mutual TLS (client certificate verification) for enhanced security. I’ve seen a few forum posts mentioning that FusionAuth doesn’t natively support mTLS, and that people often rely on workarounds like Nginx, ALB, or custom token flows.

      2. Main Challenge:

      If I’m running FusionAuth on <your version/setup>, what’s the recommended way to enable mTLS smoothly?

      Has anyone tried the “certificate hash injection” approach or “cnf claim injection” with Lambdas? Did you face any performance or maintainability issues?

      Are there any differences in handling mTLS between FusionAuth Cloud and self-hosted deployments?

      1. My Current Setup (for context):

      FusionAuth version: 1.5x

      Deployment: Self-hosted Docker / AWS

      Proxy: Nginx (or ALB) as TLS terminator

      Use case: High-security banking app where client certificates are required

      1. Specific Questions:

      What’s considered best practice — proxy-level mTLS with FusionAuth behind it, or Lambda-based token injection?

      How do you handle certificate rotation and validation efficiently?

      If you’ve already implemented this kind of setup, what tips or pitfalls should I watch out for?

      1. Closing:
        Any advice, shared experiences, or helpful resources would be greatly appreciated. Thanks in advance!
      mark.robustelliM 1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli @ehallpassofficial
        last edited by

        @ehallpassofficial From what I can tell, you are right on with using the proxy as the way to go. I don't have specific experience with that so would love to hear from the community on theirs as well. I did find an open issue with this request and suggest you upvote it to give it some visibility.

        1 Reply Last reply Reply Quote 0
        • V
          vinversesolutions
          last edited by

          I see your point about using a proxy, but I’m not fully convinced it’s the best long-term solution.

          The problem with putting all the responsibility on the proxy is that it creates another layer of complexity and a single point of failure. If FusionAuth is going to support enterprise-level security use cases, shouldn’t mTLS be handled natively instead of relying on external workarounds?

          Upvoting the issue is fine, but depending on a proxy feels more like a patch than a real fix. Curious to hear if others think this approach is sustainable, or if we should be pushing harder for first-class support directly in FusionAuth.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post