# Mutual TLS

This policy enables automatic encrypted mTLS traffic for all the services in a Mesh.

Kuma ships with a builtin CA (Certificate Authority) which is initialized with an auto-generated root certificate. The root certificate is unique for every Mesh and it used to sign identity certificates for every data-plane.

The mTLS feature is used for AuthN/Z as well: each data-plane is being assigned with a workload identity certificate, which is SPIFFE compatible. This certificate has a SAN set to spiffe://<mesh name>/<service name>. When Kuma enforces policies that require an identity, like TrafficPermission, it will extract the SAN from the client certificate and use it for every identity matching operation.

By default, mTLS is not enabled. You can enable Mutual TLS by updating the Mesh policy with the mtls setting.

On Universal:

type: Mesh
name: default
mtls:
  enabled: true 
  ca:
    builtin: {}
1
2
3
4
5
6

You can apply this configuration with kumactl apply -f [file-path].

On Kubernetes:

apiVersion: kuma.io/v1alpha1
kind: Mesh
metadata:
  namespace: kuma-system
  name: default
spec:
  mtls:
    enabled: true
    ca:
      builtin: {}
1
2
3
4
5
6
7
8
9
10

You can apply this configuration with kubectl apply -f [file-path].

Currently Kuma only support self-signed certificates (builtin). In the future we plan to add support for third-party Certificate Authorities.

Last Updated: 2/18/2020, 8:37:22 PM