Generating mTLS client certs

Hi Team. We use LetsEncrypt for generating server certs and trying to incorporate mTLS between client certs. Is it possible to create client side certs with LetsEncrypt?

1 Like

We only issue leaf certificates with a fixed profile that is typically not suitable for client certificates.

7 Likes

To try to clarify, the certificates that Let's Encrypt issues do have the "TLS Client Authentication" feature set, so you can technically use them for client authentication. But for most cases it isn't the best option, and you probably want to make sure that your system isn't going to just accept any certificate that Let's Encrypt issues. And by that point, it may make the most sense to use your own private CA.

7 Likes

Another reason in support of that is that all of Let's Encrypt's certificates are domain-validation certificates whose subjects are DNS names. The subject is never the name or identity of an individual person or organization. If you're authenticating individual people, control of DNS names is not usually a convenient thing to make them prove, and if those subject names are all subdomains of the same domain, you can also quickly run into Let's Encrypt rate limits.

7 Likes

Also, the WebPKI as a whole (as shepherded by the CA/Browser Forum) has been moving away from allowing the TLS Client Auth Extended Key Usage to appear in publicly-trusted certificates. It'll probably still be a while before they get banned, but the ecosystem is certainly moving in that direction, so I'd advise against adding reliance of the Client Auth EKU in publicly-trusted certs today. We'll likely phase it out of the certs we issue sometime in the next few years.

8 Likes