# Enable mTLS (mutual TLS) ## Overview Link11 WAAP supports mTLS encryption. This is optional, and can be enabled separately for: * Communication between Link11 WAAP and customer backends, for one or both ends of the pipeline. * Communication between clients (end users) and L11WAAP. To enable mTLS for an end of a pipeline, the appropriate certificate must be supplied. Their names within the system are as follows:
## How it works ### L11WAAP-to-customer-backend mTLS Configuring mTLS to the customer backend is straightforward. After enabling this feature (as described below), admins add certificate(s) and assign them to [Backend Service(s)](https://waap.docs.link11.com/console-walkthrough/sites/backend-services). Once configured, L11WAAP will use mTLS when communicating with customer origins. ### Client-to-L11WAAP mTLS Configuring mTLS to clients also requires feature enablement. Then, admins add CA Certificates and assign them to [Server Groups](https://waap.docs.link11.com/console-walkthrough/sites/server-groups#ca-certificate). Once client-to-L11WAAP mTLS is configured, end users will be required to present a client certificate at the beginning of each session during the TLS handshake. L11WAAP will validate the certificate, including the date, issuer, and verification against the [Client Revocation List](https://waap.docs.link11.com/console-walkthrough/sites/server-groups#using-crls-to-revoke-client-certificates). If validation fails, the user will receive an error, and will not be permitted to connect to the protected system. Two additional notes about this type of mTLS: * In the user interface, mTLS is only available when using an AWS [NLB](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html) (Network Load Balancer). To enable mTLS when using a Link11 load balancer, contact support. * mTLS verification does not exempt a client from other types of traffic filtering. Even if a client successfully establishes an mTLS connection with L11WAAP, its requests will still be blocked if they originate from a banned source, or exceed rate limits, or match a content filtering signature, etc. ## How to configure mTLS for communication with the backend(s) Follow this process: * [Enable the desired type(s) of server-to-backend certificates within the system](https://waap.docs.link11.com/console-walkthrough/system/system-db#enabling-certificates-for-mtls). * Upload the certificate(s) in the *Server-to-Backend mTLS Certificates* tab and/or *Server-to-Backend CA Certificates* tab(s) of the [Certificates](https://waap.docs.link11.com/console-walkthrough/sites/ssl/certificates) page. * [Publish](https://waap.docs.link11.com/console-walkthrough/system/publish-changes) your changes. * Assign the appropriate certificate(s) to each Backend Service: * Open the Backend Service in the [Backend Service Editor](https://waap.docs.link11.com/console-walkthrough/sites/backend-services) page. * Select the appropriate certificate(s) in the dropdown list(s). * Save and publish your changes. ## How to configure mTLS for communication with clients Follow this process: * [Enable CA Certificates within the system](https://waap.docs.link11.com/console-walkthrough/system/system-db#enabling-certificates-for-mtls). * Upload the CA Certificate(s) in the *CA Certificates* tab of the [Certificates](https://waap.docs.link11.com/console-walkthrough/sites/ssl/certificates) page. * [Publish](https://waap.docs.link11.com/console-walkthrough/system/publish-changes) your changes. * Assign the appropriate certificate to each Server Group: * Open the Server Group in the [Server Group Editor](https://waap.docs.link11.com/console-walkthrough/sites/server-groups#overview) page. * Select the appropriate CA certificate in the [dropdown list](https://waap.docs.link11.com/console-walkthrough/sites/server-groups#ca-certificate). * Select the desired [mode](https://waap.docs.link11.com/console-walkthrough/sites/server-groups#mode). * Configure [CRLs](https://waap.docs.link11.com/console-walkthrough/sites/server-groups#using-crls-to-revoke-client-certificates) (Client Revocation Lists), if desired * Save and publish your changes.