Understanding mutual TLS

Hi Team,

I would like to know what is the main reason of using mutual TLS?
It is said that, authenticated devices are automatically accepted in the mender server. But in my case I could able to see the device in pending list in mender server, manually I should accept it. Can you please elaborate on this mutual TLS feature?

Background description about my mutual TLS testing:

  1. Generated CA, client and server certificates as per the mender documentation
  2. Edge proxy is running in the host pc where docker is running
  3. Copied the device private key and certificates to rootfs and flashed binaries to the board
  4. Device is listed in pending list of hosted server while it is booting
  5. Manually accepted the device and tested OTA update

Whether my testing procedure is as expected?
Can I get some more clarification about advantages of using mutual TLS?

Looking forward for your response.

Thanks & Regards,
Chaithanya

1 Like

Hi @chaithanya,

After the mTLS connection was successful you should see your device flagged as accepted and not to wait to accept it manually.

I recommend following some double-checking process we describe for troubleshooting.

mTLS is in particular useful in a mass production as it is a secure way of adding new devices to your account without human interaction.

Checking old interactions, I see there is a whole thread in here, how different is your current setup to the one described there?

Regards,
Luis

@lramirez

Thank you for your response.

I have not gone through preauthorizing the device. Do I need to preauthorize the device first and then go for mutual tls?

Regards,
Chaithanya

No need to preauthorize first. mTLS automatically authorizes the device based on device certificate.

Hi @chaithanya ,

did your device connect to the Edge proxy or to the hosted server?

The device should connect to edge proxy domain name. If the device connects to hosted server, then it will be in the pending list.

Best regards

1 Like