---
title: Setting up Mutual TLS authentication
summary: null
url: >-
  https://www.fastly.com/documentation/guides/getting-started/domains/securing-domains/setting-up-mutual-tls-authentication
---

Mutual TLS (mTLS) is an additional layer of network connection security that is added on top of our [existing TLS product](https://docs.fastly.com/products/tls-service-options). By default, the TLS protocol only requires a server to present a trusted certificate to the client. mTLS requires the client to also present a trusted certificate to the server. Instead of having to rely on traditional authentication methods like passwords or API keys, the server to client connection is secured using TLS certificates.

> **HINT:** Are you looking for information on applying TLS on connections between Fastly and your origin? Refer to our [Working with hosts](https://www.fastly.com/documentation/guides/getting-started/hosts/working-with-hosts#advanced-tls-options) guide.

## Prerequisites

To use mTLS, be sure you have the following prerequisites in place:

- a [paid account](https://www.fastly.com/documentation/guides/account-info/billing/account-types#other-paid-accounts) with a contract for Fastly's services.
- an existing TLS activation consisting of valid domains, a TLS configuration with the relevant domains added, and TLS certificate. The certificate may be either [Fastly-managed](https://www.fastly.com/documentation/guides/getting-started/domains/securing-domains/setting-up-tls-with-certificates-fastly-manages) or [self-managed](https://www.fastly.com/documentation/guides/getting-started/domains/securing-domains/setting-up-tls-with-your-own-certificates).
- a `.pem` file containing one or more certificates certified by a certification authority (CA). This file is used as your chain of trust to verify the client certificates for your connection.

> **HINT:** mTLS is supported on Compute services for origins configured via [Dynamic Backends](https://docs.fastly.com/products/compute#dynamic-backends). To set up mTLS for Compute services with static backends, contact [Fastly Support](https://support.fastly.com).

## Important considerations

You can have multiple root or intermediate certificates as long as they are combined into one certificate bundle (`.pem` file). However, if you have multiple SANs on your server-side certificate, it's best to separate the mTLS domains from your standard TLS certificates. Otherwise, some browsers will reuse the standard TLS connection and thereby bypass mTLS.

## Setting up mTLS for the first time

Setting up mutual TLS authentication consists of uploading an mTLS certificate and defining the domains you want to secure with mTLS. You can enforce an mTLS connection on all requests to your domains, denying a connection if a valid certificate isn't presented. Or, you can allow connections to proceed whether or not the mTLS connection is successful. The latter option let's you secure sensitive communications with mTLS while still allowing less sensitive data to be transmitted over non-mTLS connections, which can be useful as you transition to using mTLS.

To apply mTLS:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Domains** > **TLS management** > [**Mutual TLS**](https://manage.fastly.com/network/mutual-authentications).

3. Drag and drop your certificate file into the drag and drop area to upload your certificate file. Alternately, click **Browse for certificate file** to navigate to the file on your system using the file picker. The Mutual TLS certificate details page appears.

4. In the **Mutual TLS certificate name** field, enter a name used to easily identify the certificate or certificate bundle in the Fastly control panel.

5. Do one of the following:
   - Leave the **Require mTLS** checkbox selected to enforce mTLS and only allow a connection when mTLS authentication is successful.
   - Deselect the checkbox to allow a connection to proceed even if mTLS authentication fails. Useful when transitioning to using mTLS and required to log or track requests sent without a client certificate.

6. Click **Save and next** to continue.

7. From the **Add domains** menu, select the active domains you want mTLS applied to. You can use the search box to search for domains by name, certificate, or TLS configuration.

8. Click **Done**. A card for the new mTLS configuration is added to the Mutual TLS page.

> **HINT:** To have the client certificate appear in the header of a request, [update your custom VCL](https://www.fastly.com/documentation/reference/vcl/variables/client-connection/tls-client-certificate-raw-certificate-b64/) after you set up mTLS.

## Uploading additional mTLS certificates

You can upload additional certificates or certificate bundles to apply mutual TLS authentication to your domains.

To upload additional certificates:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Domains** > **TLS management** > [**Mutual TLS**](https://manage.fastly.com/network/mutual-authentications).
3. Click **Upload mutual TLS certificate**.
4. Navigate to the `.pem` that contains the certificate or certificate bundle. This file is used as your chain of trust to verify the client certificates for your connection.
5. In the **Mutual TLS certificate name** field, enter a name used to easily identify the certificate in the web interface.
6. Leave the **Require mTLS** checkbox selected to enforce mTLS and only allow a connection when mTLS authentication is successful. Deselect the checkbox to allow a connection to proceed even if mTLS authentication fails.
7. Click **Save and next** to continue.
8. From the **Add domains** menu, select the active domains you want mTLS applied to. You can use the search box to search for domains by name, certificate, or TLS configuration.
9. Click **Done**. A card for the new mTLS configuration is added to the Mutual TLS page.

## Adding and removing domains

From the mTLS certificate details page, you can edit the domains on which mTLS is enforced.

To add domains:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Domains** > **TLS management** > [**Mutual TLS**](https://manage.fastly.com/network/mutual-authentications).
3. Click **View certificate details**.
4. From the **Add domains** menu, select the active domains you want mTLS applied to. You can use the search box to search for domains by name, certificate, or TLS configuration.
5. Click **Done** to save your changes.

To remove domains:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Domains** > **TLS management** > [**Mutual TLS**](https://manage.fastly.com/network/mutual-authentications).
3. Click **View certificate details**.
4. Click the trash <span class="inline-icons"><img src="/img/icons/trash.png" alt="Trash icon" /></span> next to the domain you want to remove.
5. Click **Done** to save your changes.

## Editing Mutual TLS certificate details

From the mTLS certificate details page, you can edit the authentication name and the mTLS enforcement option.

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Domains** > **TLS management** > [**Mutual TLS**](https://manage.fastly.com/network/mutual-authentications).
3. Click **View certificate details**.
4. Click **Back to certificate settings**.
5. In the **Mutual TLS certificate name** field, enter a name used to easily identify the certificate in the web interface.
6. Use the **Require mTLS** checkbox to determine whether mTLS is enforced. If selected, connections are only allowed when mTLS authentication is successful. If de-selected, connections proceed even if mTLS authentication fails.

## Replacing an mTLS certificate

From the Mutual TLS page, you can replace the certificate used for mTLS.

To replace the certificate:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Domains** > **TLS management** > [**Mutual TLS**](https://manage.fastly.com/network/mutual-authentications).
3. Click **Replace** on the card for the mTLS configuration you want to update.
4. Drag and drop your certificate file into the drag and drop area to upload your certificate file. Alternately, click **Browse for certificate file** to navigate to the file on your system using the file picker.
5. Click **Submit** to save your changes.

## Deleting an mTLS authentication

To delete an mTLS configuration, you must ensure there are no active domains on the mutual authentication. If there are, [edit the configuration](https://www.fastly.com/documentation/guides/getting-started/domains/securing-domains/setting-up-mutual-tls-authentication#editing-mutual-tls-certificate-details) to remove the active domains before proceeding.

To delete an mTLS configuration:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Domains** > **TLS management** > [**Mutual TLS**](https://manage.fastly.com/network/mutual-authentications).
3. Click the trash <span class="inline-icons"><img src="/img/icons/trash.png" alt="Trash icon" /></span> on the card for the mTLS configuration you want to update.
4. Confirm that you want to delete the mutual authentication and then click **Delete**.

## Related content

- [Mutual TLS API documentation](https://www.fastly.com/documentation/reference/api/tls/mutual-tls/)