Support for mTLS

Mutual Transport Layer Security (mTLS), also known as Mutual Authentication, is an authentication method that validates the digital certificate on both sides of a request: on the client side and on the Edge.

With mTLS activated, Azion checks the user’s browser certificate and validates it with the Trusted Certificate (Trusted CA), of your Edge Application.

mTLS is optional for applications using TLS protocols. However, it does promise a more secure TLS handshake and is an Open Banking requirement.


It’s necessary that your Edge Application is operating with the Hypertext Transfer Protocol Secure (HTTPS) protocol. Azion Console allows you to configure mTLS in applications running with HTTP only (without the TLS encryption layer). However, mTLS requires an HTTPS connection to work.

Protocol options are available on your Edge Application configuration page in Azion Console.

go to associate mTLS certificate to domain guide

Digital Certificate with support for mTLS (Trusted CA)

To configure mTLS in your Edge Application, you need a Digital Certificate that supports mTLS, generated by a Third-Party Certificate Authority. At Azion, we call this certificate Trusted CA.

Select or add a new Domain and make sure the mTLS option is enabled. Then select the previously added Trusted CA.

Free certificates, generated internally by Azion (Azion [SAN]), don’t support mTLS.

To use mTLS Enforce mode, you must use Server Name Indication (SNI) extension to the traditional TLS protocol.

Connections without SNI are connected to the default configuration, which, at the time of the TLS handshake, delivers the Azion SAN certificate.

When we have requests without SNI for a Domain with mTLS in Enforce mode, the connection will be interrupted before the route of your Edge Application is resolved.

Make sure your Edge Applications always use SNI on requests.

How mTLS works at Azion

The default configuration of mTLS blocks accesses whose user identity can’t be verified.

If your application needs special access, it is necessary to configure a permissive check (Permissive mTLS). Permissive checking can be configured on the Domains page.

You can also change and specify the header variables of your mTLS to meet Open Banking requirements. This can be done in the Edge Application configuration page, within Azion Console.

The list of accepted variables is available on the Rules Engine for Edge Application page.



These are the default limits for each Service Plan:

DeveloperBusinessEnterpriseMission Critical