Home
Guides
Start typing to search…

Mutual TLS

mTLS is an extension of the standard TLS protocol that provides enhanced security by requiring both the client and server in a communication session to authenticate each other's certificates. In the financial sector, where the integrity of transactions is paramount, mTLS ensures that only verified clients can initiate requests, thereby safeguarding against unauthorised access.

📘

Configuring mTLS does not replace the requirement for JWT signed client credentials.

Benefits of mTLS

👍

Provides enhanced security by authenticating both clients and servers.

All communications are encrypted, protecting against eavesdropping.
Actions performed by both sides can be securely traced to their origin when both parties are authenticated.

Permissions Notes

To access the features for generating mTLS Certificates, you will need a specific permissions.
Contact Moneyhub to guide you through the process.

Generating mTLS Certificates

1 - Open the API menu bar on the Admin Portal platform.

2 - Go to the Certificate Generation section and
click on the 'Generate Certificate' button to start the process.

Take the Certificate Signing Request (CSR) from the calling provider and
paste it into the form input

3 - Submit, and after a few seconds you should get an output certificate shown to you.

Mutual TLS Bound Access Tokens

📘

Access tokens with sender constraints allow a resource server to validate that a client making a request using an access token is the very same client that the token was issued to. One method of adding a sender constraint is by validating the client's mTLS certificates when issuing and validating tokens.

How to enable

To enable mTLS bound access tokens on your API client navigate to our admin portal , find your API client under the My Clients section.

Once you have selected the client, go to the edit page by clicking the context menu in the upper right corner and selecting "Edit".

Next select mTLS for the Sender-constrained access token method

Save the changes and your API client is now set up to use mTLS bound access tokens

Application code

To use mTLS certificates in your application you will need pass the key you generated when creating the CSR, as well as the certificate received from the Moneyhub admin portal described here into your http client's configuration.

Any requests being made to https://caas.moneyhub.co.uk should be switched to use our mTLS endpoints at https://caas-ma.moneyhub.co.uk instead.

Updated about 2 months ago