# Enable mTLS (mutual TLS)
## Overview
Link11 WAAP supports mTLS encryption. This is optional, and can be enabled separately for:
* Communication between Link11 WAAP and customer backends, for one or both ends of the pipeline.
* Communication between clients (end users) and L11WAAP.
To enable mTLS for an end of a pipeline, the appropriate certificate must be supplied. Their names within the system are as follows:
## How it works
### L11WAAP-to-customer-backend mTLS
Configuring mTLS to the customer backend is straightforward. After enabling this feature (as described below), admins add certificate(s) and assign them to [Backend Service(s)](/console-walkthrough/sites/backend-services.md). Once configured, L11WAAP will use mTLS when communicating with customer origins.
### Client-to-L11WAAP mTLS
Configuring mTLS to clients also requires feature enablement. Then, admins add CA Certificates and assign them to [Server Groups](/console-walkthrough/sites/server-groups.md#ca-certificate).
Once client-to-L11WAAP mTLS is configured, end users will be required to present a client certificate at the beginning of each session during the TLS handshake. L11WAAP will validate the certificate, including the date, issuer, and verification against the [Client Revocation List](/console-walkthrough/sites/server-groups.md#using-crls-to-revoke-client-certificates). If validation fails, the user will receive an error, and will not be permitted to connect to the protected system.
Two additional notes about this type of mTLS:
* In the user interface, mTLS is only available when using an AWS [NLB](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html) (Network Load Balancer). To enable mTLS when using a Link11 load balancer, contact support.
* mTLS verification does not exempt a client from other types of traffic filtering. Even if a client successfully establishes an mTLS connection with L11WAAP, its requests will still be blocked if they originate from a banned source, or exceed rate limits, or match a content filtering signature, etc.
## How to configure mTLS for communication with the backend(s)
Follow this process:
* [Enable the desired type(s) of server-to-backend certificates within the system](/console-walkthrough/system/system-db.md#enabling-certificates-for-mtls).
* Upload the certificate(s) in the *Server-to-Backend mTLS Certificates* tab and/or *Server-to-Backend CA Certificates* tab(s) of the [Certificates](/console-walkthrough/sites/ssl/certificates.md) page.
* [Publish](/console-walkthrough/system/publish-changes.md) your changes.
* Assign the appropriate certificate(s) to each Backend Service:
* Open the Backend Service in the [Backend Service Editor](/console-walkthrough/sites/backend-services.md) page.
* Select the appropriate certificate(s) in the dropdown list(s).
* Save and publish your changes.
## How to configure mTLS for communication with clients
Follow this process:
* [Enable CA Certificates within the system](/console-walkthrough/system/system-db.md#enabling-certificates-for-mtls).
* Upload the CA Certificate(s) in the *CA Certificates* tab of the [Certificates](/console-walkthrough/sites/ssl/certificates.md) page.
* [Publish](/console-walkthrough/system/publish-changes.md) your changes.
* Assign the appropriate certificate to each Server Group:
* Open the Server Group in the [Server Group Editor](/console-walkthrough/sites/server-groups.md#overview) page.
* Select the appropriate CA certificate in the [dropdown list](/console-walkthrough/sites/server-groups.md#ca-certificate).
* Select the desired [mode](/console-walkthrough/sites/server-groups.md#mode).
* Configure [CRLs](/console-walkthrough/sites/server-groups.md#using-crls-to-revoke-client-certificates) (Client Revocation Lists), if desired
* Save and publish your changes.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://waap.docs.link11.com/using-the-product/how-do-i.../enable-mtls-mutual-tls.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.