FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    How to implement mutual TLS (mTLS) with FusionAuth — best practices and real-world solutions?

    Scheduled Pinned Locked Moved
    General Discussion
    2
    2
    1
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ehallpassofficial
      last edited by

      Hello FusionAuth community,

      1. Background:
        I’m currently using FusionAuth (self-hosted / cloud) and I need to implement mutual TLS (client certificate verification) for enhanced security. I’ve seen a few forum posts mentioning that FusionAuth doesn’t natively support mTLS, and that people often rely on workarounds like Nginx, ALB, or custom token flows.

      2. Main Challenge:

      If I’m running FusionAuth on <your version/setup>, what’s the recommended way to enable mTLS smoothly?

      Has anyone tried the “certificate hash injection” approach or “cnf claim injection” with Lambdas? Did you face any performance or maintainability issues?

      Are there any differences in handling mTLS between FusionAuth Cloud and self-hosted deployments?

      1. My Current Setup (for context):

      FusionAuth version: 1.5x

      Deployment: Self-hosted Docker / AWS

      Proxy: Nginx (or ALB) as TLS terminator

      Use case: High-security banking app where client certificates are required

      1. Specific Questions:

      What’s considered best practice — proxy-level mTLS with FusionAuth behind it, or Lambda-based token injection?

      How do you handle certificate rotation and validation efficiently?

      If you’ve already implemented this kind of setup, what tips or pitfalls should I watch out for?

      1. Closing:
        Any advice, shared experiences, or helpful resources would be greatly appreciated. Thanks in advance!
      mark.robustelliM 1 Reply Last reply Reply Quote 0
      • mark.robustelliM
        mark.robustelli @ehallpassofficial
        last edited by

        @ehallpassofficial From what I can tell, you are right on with using the proxy as the way to go. I don't have specific experience with that so would love to hear from the community on theirs as well. I did find an open issue with this request and suggest you upvote it to give it some visibility.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post