# mTLS Mutual TLS authentication (also called *Mutual SSL authentication*, *mTLS authentication*, or *mTLS* for short) is a method for clients to authenticate themselves on accessing a server. It is an authentication method implemented on the transport layer. That makes mTLS often a new paradigm for people and sometimes hard to understand. This page should provide some clarity. In regular TLS communication, only the server presents a certificate in order for the client to verify the identify of the server. In mTLS, the client performing the call to the server presents a certificate as well, enabling the server to verify the identify of the client as well. To summarize the setup of mTLS compared to regular TLS communication: * The entity performing the call is the client and should **present a client certificate**. * The entity receiving the call is the server and should **verify** the client certificate. {% embed url="" %} ### KPN certificates KPN Server certificate CA's: * AAA Certificate Services: * Sectigo Public Server Authentication Root R46: KPN mTLS certificate CA's: * AAA Certificate Services: * Sectigo Public Server Authentication Root R46: * KPN IoT Private Root CA 1: {% file src="/files/DfbEOXnEUJCoBKlWDa0e" %} ### How it works ``` curl -v https://rsp.kpnthings.com/esim-messaging/3/ES4/ES4SmSrService --cert mycert.crt –key mykey.key --CAcert cacert.crt --data 'test' * Trying 145.128.79.83... * TCP_NODELAY set * Connected to rsp.kpnthings.com (145.128.79.83) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: cacert.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Request CERT (13): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS handshake, CERT verify (15): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=rsp.kpnthings.com * start date: Sep 8 00:00:00 2020 GMT * expire date: Sep 9 23:59:59 2021 GMT * subjectAltName: host "rsp.kpnthings.com" matched cert's "rsp.kpnthings.com" * issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7fdb4700aa00) > POST /esim-messaging/3/ES4/ES4SmSrService HTTP/2 > Host: rsp.kpnthings.com > User-Agent: curl/7.64.1 > Accept: */* > Content-Length: 4 > Content-Type: application/x-www-form-urlencoded ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.kpnthings.com/kpn-things/rsp/transparent-api/mtls.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.