Client certificates
Client certificates provide mutual TLS (mTLS) authentication, ensuring both the client and server verify each other's identity. This creates a more secure communication channel compared to standard TLS where only the server is authenticated.
Client certificates in Frontdoor enable you to:
- Authenticate clients using X.509 certificates instead of or in addition to other authentication methods
- Implement zero-trust security architectures where every connection is verified
- Meet compliance requirements that mandate certificate-based authentication
- Secure service-to-service communication in microservices architectures
Certificate types
Frontdoor supports two ways to obtain client certificates:
Upload existing certificates
Use certificates you already have from your existing PKI infrastructure:
- Certificates issued by your organization's CA
- Third-party certificates from commercial CAs
- Self-signed certificates for testing environments
Generate from Certificate Signing Requests (CSRs)
Let NetFoundry generate certificates for you:
- NetFoundry acts as the Certificate Authority (CA)
- Certificates are issued to your organization with a unique intermediate certificate for your Frontdoor
- Certificates are valid for 365 days
- Certificates are issued using a unique certificate signing request (CSR)
- Certificates include appropriate key usage extensions
- Automatic integration with Frontdoor's trust model
- Simplified certificate lifecycle management
For more info, see ../how-to-guides/create-client-certificate.mdx.
Best practices
Certificate management
- Use descriptive names that indicate the certificate's purpose and environment
- Implement certificate rotation before expiration dates
- Monitor certificate expiry with automated alerts
- Store private keys securely and never transmit them
Security considerations
- Use strong key lengths: RSA 2048-bit minimum, prefer 4096-bit or ECDSA P-256/P-384
- Implement proper validation in your applications
- Use Certificate Revocation Lists (CRL) or OCSP for revocation checking
- Test thoroughly in non-production environments first
Operational guidelines
- Start simple with one certificate and gradually expand
- Document certificate mappings to services and environments
- Implement backup procedures for certificate recovery
- Train team members on certificate lifecycle management