Mutual TLS (mTLS)

Mutual Transport Layer Security (mTLS), also known as two-way TLS, is a security protocol that allows both the client and server to authenticate each other before establishing a secure connection. This is in contrast to traditional TLS, where only the client authenticates the server.

Mutual TLS authentication is a key component in setting up a Zero Trust Security architecture.

Overview

SocketXP IoT Gateway supports mTLS authentication by verifying the TLS server and client certificates against a trusted CA certificate. Devices or end users trying to connect to the gateway using certificates not issued by this trusted CA will be rejected.

SocketXP IoT Cloud Gateway has a built-in BastionXP CA(Certificate Authority) module, that functions as a private CA. The CA module has its own root CA certificate that is used to sign and issue certificates to endpoints such as IoT devices and end users.

SocketXP IoT Cloud Gateway will perform mutual TLS authentication on all connections to a specific gateway port(9444) that is configured as an mTLS gateway port.

BYOCA

SocketXP IoT Gateway Platform (Self-Hosted Version) supports BYOCA (Bring Your Own Certificate Authority) deployment model, that allows you to create and anchor a private CA of your choice in your on-premises to issue SSL/TLS certificates to your devices and access endpoints.

For on-prem self-hosted version, you can use the SocketXP's built-in BastionXP CA module if you wish to use it. Otherwise, it is not mandatory but optional.