MTLS Estimated reading: 2 minutes 26 views Overview We are introducing mutual TLS (mTLS) support for APIv3 to enforce stronger client-server authentication. This includes a new API domain, secure certificate handling, and improved configuration tools with mTLS we are considering inbound requests (ingress: to Cellosign) and outbound (egress: from Cellosign). Ingress: Traffic to Cellosign service With mTLS activated there are two options mTLS is manadatory mTLS is optional Use project security settings to manage this option. In case inbound mtls is required then Cellosign will accept requests for the project resources only when the uri is from mtls domain (see table below) In case inbound mtls is optional than uri can be both mtls domain and existing domain Dedicated mTLS API Service A new domain: https://api.cellosign.com (Cloudflare-managed) exclusively handles mTLS traffic. Non-mTLS traffic is rejected if the project requires mTLS. Project-Level mTLS Configuration Projects can require mTLS by toggling Requires mTLS in the security settings. Cloudflare-Based Certificate Handling Cloudflare validates both server and client certificates. Only validated connections reach the backend. Egress: Webhook traffic from Cellosign service With Egress, you will be able to upload your certificates into Cellosign and Cellosign will use them to handshake when posting requests to your apis. To do that you are required to upload your certificates and connect them to Web hooks Users can attach: CA Certificate (optional) Client Certificate/Key Pair (required) Read here how to upload certificate files integration guide Read here ho to integrate certificate to egress web hook BPMN Webhook Enhancements BPMN WebServiceDefinitions now support: certificateAuthority clientCertificateKey New mTLS Domains for Each Environment EnvironmentmTLS DomainProductionapi.cellosign.comPreprodpreprod-api.cellosign.comStagestage-api.cellosign.com Security - Previous IP-Based Access Restrictions for Users Next - Security Client applications
