mTLSΒΆ

In our environment we’re making extensive use of mTLS, resp. client certificates.

We’ve decided to use client certificates, because:

  • We already have a PKI in place

  • Our Proxy allows us to enforce them

  • mTLS is often much easier to use than VPN’s

Get the root certificateΒΆ

The root certificate can be downloaded directly from the CA.

Important

The CA is only reachable from within our networks.

Get a client certificateΒΆ

To get a valid SSL client certificate:

  1. Login into Mattermost.

  2. Enter /cert

  3. Follow the instructions

Hint

CertBob is in charge of providing employees the SSL client certificates via Mattermost.

Install client certificateΒΆ

Client certificate on iOSΒΆ

The most straight-forward way to install the certificate on iOS is to:

  • Send the PKCS12 certificate by e-mail to yourself

  • Open the certificate on iOS

  • Enter your iOS PIN number or password

  • Enter the certificate passphrase

  • Click on Install

Client certificate on AndroidΒΆ

The most straight-forward way to install the certificate on Android is to:

  • Transfer the PKCS12 certificate to your phone

  • Go to Settings -> Passwords & Security -> Privacy -> Encryption & Credentials -> Install from storage

  • Select the PKCS12 certificate to install from storage

Client certificate on macOSΒΆ

The most straight-forward way to install the certificate on macOS is to:

  • Double-click the PKCS12 certificate

  • Enter the certificate passphrase

Client certificate on WindowsΒΆ

When adding the certificate on Windows do this:

  • Rename the PKCS12 certificate to *.pfx

  • Double-click the PFX certificate

  • Select Current User in the welcome screen

  • Accept the file name of the certificate (should be the PFX file)

  • Enter the certificate passphrase, and accept all other default values

  • Let Windows automatically select the certificate store, based on the type of certificate

  • Finish the installation