Hello FusionAuth community,
-
Background:
I’m currently using FusionAuth (self-hosted / cloud) and I need to implement mutual TLS (client certificate verification) for enhanced security. I’ve seen a few forum posts mentioning that FusionAuth doesn’t natively support mTLS, and that people often rely on workarounds like Nginx, ALB, or custom token flows. -
Main Challenge:
If I’m running FusionAuth on <your version/setup>, what’s the recommended way to enable mTLS smoothly?
Has anyone tried the “certificate hash injection” approach or “cnf claim injection” with Lambdas? Did you face any performance or maintainability issues?
Are there any differences in handling mTLS between FusionAuth Cloud and self-hosted deployments?
- My Current Setup (for context):
FusionAuth version: 1.5x
Deployment: Self-hosted Docker / AWS
Proxy: Nginx (or ALB) as TLS terminator
Use case: High-security banking app where client certificates are required
- Specific Questions:
What’s considered best practice — proxy-level mTLS with FusionAuth behind it, or Lambda-based token injection?
How do you handle certificate rotation and validation efficiently?
If you’ve already implemented this kind of setup, what tips or pitfalls should I watch out for?
- Closing:
Any advice, shared experiences, or helpful resources would be greatly appreciated. Thanks in advance!