Mutual TLS for upstream (outbound) traffic

Hi folks,

Glad to see the release fo 2.4, and accomplishing another milestone.

I just want to check if the Mutual TLS can be offered for outbound traffic? In this case, Tyk API Gateway will actually be the client, and the upstream service provider will be the server

I came across use cases (especially for enterprise) where Mutual TLS is also required when interfacing with the actual service providers, so this could probably be a neat feature to address some over-paranoid security folks and their guidelines.


Yes! In context of our mutual terms it is called upstream access, and this is exactly what you describe: //

Think i have misunderstood the documentations, and thought the Mutual TLS is the other way round :slight_smile:

Thanks for the clarification!

In fact, this release brings mutual tls support for both inbound and outbound traffic :slight_smile:

1 Like

Hi Leon,

I am trying to check out the feature on my trial cloud version, and have some questions on that. Feel free to edit the thread category if it falls under something else.

  1. Do i need to trust / import the root ca before i add a certificate, or any pre-condition? I am unable to add a self-signed pem file at the API designer (another reasons could be i possibly generate the pem file wrongly, but these files i did used them successfully for my previous test)

  1. For the upstream TLS , how do i add a corresponding certificate that will be verified by the destination upstream server? Is there an option there to manage certificates?

Just re-signed the certificate and it’s working now. :slight_smile: , Think i have to chain them as per the suggestion.

Interesting observation, seems like Tyk will take in all valid certificate regardless if its self-signed or not.

Yes, you are right! Tyk will accept any valid certficaite, and do not use your local CA at the moment.

Oh ok, got it.

Does that mean the API Gateway, eventually, will have to manage its own local trust store? This is ensure only certificate signed by valid root CA (either self-signed locally or public CA like Verisign) can be uploaded.

I think in next versions, we will add an option to make it work with local system trust store.