This project is a simple demonstration of Mutual TLS (mTLS) authentication using Java and OpenSSL-generated certificates in PKCS12 format.
It includes:
- A Bash script (
setup-mtls.sh) to generate certificates. - A Java HTTPS server (
MutualTLSServer.java) that requires clients to present valid certificates. - A Java HTTPS client (
MutualTLSClient.java) that authenticates itself and trusts only a known server.
Mutual TLS is an extension of standard TLS (Transport Layer Security) where both the server and the client authenticate each other using certificates.
- In normal TLS (e.g., HTTPS), the client verifies the server's identity via its certificate.
- In mutual TLS, the server also requires the client to present a trusted certificate, creating a two-way trust.
This is commonly used in:
- Secure microservice communication
- APIs requiring strong client identity
- Enterprise VPNs
git clone https://github.com/your-username/mutual-tls-java-demo.git
cd mutual-tls-java-demoMake sure you have OpenSSL installed, then run:
./setup-mtls.shThis will generate:
- A Certificate Authority (CA)
- A server certificate signed by the CA
- A client certificate signed by the CA
- PKCS12 keystores:
server.p12,client.p12
Ensure you’re using Java 11 or later (for TLS 1.3 compatibility).
javac MutualTLSServer.java
javac MutualTLSClient.javajava MutualTLSServerYou should see:
HTTPS server with mTLS started on port 8443Open a second terminal and run:
java MutualTLSClientExpected output:
Server response: Hello, authenticated client!- Java 11+
- OpenSSL (for generating certificates)
- Bash shell
- This setup is for local development and educational purposes.
- In production, certificates should have stronger protection, revocation support, and expiry handling.
- Passwords like
changeitshould never be used in real deployments.