← Back to TLSMCP Overview

Client Certificates & mTLS
Without the PKI Nightmare

Issue unlimited client certificates with any duration — hours, days, or months — and enforce mutual TLS on every connection. TLSMCP handles issuance, distribution, rotation, and revocation so you never manage a certificate by hand again.

Enable mTLS Free → See the Architecture
TLS 1.3 · No fallback Certs from 1 hour to 12 months Zero-touch revocation
01 // The Foundation

No Certificate, No Connection

Standard TLS is one-sided: the server proves who it is, but any client can connect. API keys and JWTs sit at the application layer — they're passed after the connection is already open.

Mutual TLS flips this. Both sides present a certificate during the handshake itself. If the client doesn't have a valid cert, the connection is refused before a single byte of application data is exchanged.

This is the strongest form of machine identity. Not "who sent this request?" but "should this machine be allowed to connect at all?"

Without mTLS
  • Any machine can open a TCP connection to your service
  • API keys can be leaked, shared, or replayed
  • Identity checks happen after the attacker is already in
With TLSMCP mTLS
  • Connection refused at the TLS handshake without a valid cert
  • Certificates are cryptographic — can't be guessed or shared
  • Identity verified before any application code runs
02 // Client Certificate Issuance

Unlimited Certs. Any Duration.

Traditional PKI makes client certificates expensive — long lead times, manual CSR flows, and fixed expiry dates measured in years. That's why most teams never adopt mTLS.

TLSMCP lets you issue client certificates on demand, with lifetimes from one hour to twelve months. Short-lived certs eliminate the need for revocation lists. Long-lived certs work for stable infrastructure. Mix and match per service.

No CSR workflows. No manual approval chains. No per-certificate cost. Issue as many as you need, whenever you need them.

# Issue a short-lived client cert (24h)
$ tlsmcp cert issue --type client \
    --service payment-api \
    --ttl 24h
✓ Client cert issued
  CN: payment-api.prod
  Expires: 2026-02-22T14:30:00Z
  Auto-renew: enabled

# Or a long-lived cert for stable infra
$ tlsmcp cert issue --type client \
    --service db-replica-03 \
    --ttl 90d
✓ Client cert issued
  CN: db-replica-03.internal
  Expires: 2026-05-22T14:30:00Z
  Auto-renew: enabled
03 // Architecture

How TLSMCP Enforces mTLS

TLSMCP deploys as a sidecar proxy alongside your services. It terminates mTLS, validates client certificates, and only forwards authenticated connections to your application.

Service A
client cert
Service B
client cert
AI Agent
client cert
mTLS handshake
TLSMCP Sidecar Proxy
TLS terminated · Identity verified
Your API
Your MCP Server
Managed by Cyphers Hub
Cyphers Hub — Certificate Authority · Policy Engine · Audit Log
04 // Certificate Lifecycle

Fully Automated, End to End

TLSMCP manages the entire client certificate lifecycle — from first issuance through rotation to revocation. No manual steps. No forgotten renewals.

Issue

Generate client certs instantly via CLI, API, or Cyphers Hub. Set TTL from hours to months.

Distribute

Certs are pushed to services automatically. No manual copying, no shared drives, no Slack DMs.

Rotate

Auto-renewal before expiry. Overlapping validity windows ensure zero-downtime rotation.

Revoke

Instant revocation from Cyphers Hub. No CRL distribution lag. Connection drops in seconds.

05 // Why TLSMCP for mTLS

What Makes This Different

Other mTLS solutions require a service mesh, a dedicated PKI team, or both. TLSMCP gives you the security without the overhead.

No Service Mesh Required

TLSMCP is a lightweight sidecar, not a full mesh. Add mTLS to one service at a time without re-architecting your infrastructure.

Built-In Certificate Authority

Issue your own client and server certificates without external CA dependencies. Your trust chain, your control, automated by TLSMCP.

Flexible TTL

Set certificate lifetimes from one hour to twelve months. Short-lived certs for CI/CD, longer certs for stable infrastructure. Per-service control.

TLS 1.3 Only

No fallback to older protocols. No downgrade attacks. Every connection uses TLS 1.3 with modern cipher suites only.

Zero Code Changes

Your application talks plain HTTP to localhost. TLSMCP handles the TLS termination and certificate exchange externally. Deploy, don't refactor.

Full Audit Trail

Every certificate issued, every connection attempted, every revocation actioned — logged and visible in Cyphers Hub with full traceability.

# Revoke a compromised client cert
$ tlsmcp cert revoke --cn worker-07.staging
✓ Certificate revoked
  Propagated to 12 proxies in 1.2s
  Active connections terminated: 3

# Check revocation status
$ tlsmcp cert status --cn worker-07.staging
  Status: REVOKED
  Revoked: 2026-02-21T09:15:22Z
  Reason: key_compromise
  Active connections: 0

# List all active client certs
$ tlsmcp cert list --type client --active
  47 active client certificates
  3 expiring within 24h (auto-renew on)
  0 revoked pending cleanup
06 // Revocation

Instant Revocation. No CRL Lag.

Traditional certificate revocation is broken. CRLs are cached. OCSP responders add latency and a point of failure. By the time a revocation propagates, the damage is done.

TLSMCP pushes revocations directly to every proxy in your fleet. When you revoke a client certificate, active connections using that cert are terminated within seconds — not hours or days.

Combine instant revocation with short-lived certificates and you get defense in depth: even if a revocation somehow fails, the cert expires on its own.

Use Cases

Where mTLS with TLSMCP Matters Most

Every machine-to-machine connection is a potential attack surface. Here's where teams deploy TLSMCP first.

AI Agent & MCP Servers

AI agents running autonomously need verified identity, not just API keys. mTLS ensures only authorized agents connect to your MCP servers, with every connection logged and attributable.

Microservice Communication

East-west traffic between services is the attack surface you can't see. mTLS ensures every internal call is authenticated — no rogue containers, no network-level impersonation.

CI/CD Pipelines

Build runners, deployment agents, and artifact stores all talk to production. Short-lived client certs (1-4 hours) scope access to the current job and expire automatically.

Database & Data Store Access

Protect database connections with client certificates instead of password-based auth. Each service gets its own identity, revocable independently without rotating shared credentials.

Multi-Cloud & Hybrid

Services spanning AWS, GCP, and on-prem need a common identity layer that doesn't depend on any single cloud's IAM. mTLS with TLSMCP provides that layer.

Third-Party Integrations

Give partners and vendors their own client certificates with defined TTLs. When the contract ends, revoke the cert — access disappears instantly across your entire fleet.

FAQ

mTLS Questions, Answered

Do I need a service mesh to use mTLS?

No. TLSMCP deploys as a lightweight sidecar proxy — one binary per service. You get mTLS without Istio, Linkerd, or any mesh control plane. Add it to one service at a time; it works alongside your existing infrastructure.

How short can client certificate lifetimes be?

As short as one hour. Short-lived certificates are the strongest security posture — if a cert is compromised, it expires before an attacker can use it meaningfully. TLSMCP auto-renews before expiry so your services never experience downtime.

What happens if a certificate is compromised?

Revoke it from Cyphers Hub or the CLI. The revocation propagates to all TLSMCP proxies in seconds — not hours. Active connections using that certificate are terminated immediately. No CRL caching delays, no OCSP lookup failures.

Does my application need code changes?

Zero. Your application continues to serve plain HTTP on localhost. The TLSMCP sidecar handles TLS termination, certificate validation, and mTLS enforcement externally. Your app never sees a certificate — it just receives pre-authenticated requests.

Can I use my existing certificates alongside TLSMCP?

Yes. TLSMCP can work with your existing CA infrastructure or act as its own certificate authority. You can migrate gradually — some services on TLSMCP-issued certs, others using your existing chain — with a single trust policy managed in Cyphers Hub.

How does this relate to the [cyphers] Score?

Enabling mTLS with TLSMCP directly improves two of the four Score dimensions: TLS Policy Enforcement and Certificate Strength. Short-lived client certificates with auto-rotation also boost your Lifecycle Hygiene score. Learn more about the [cyphers] Score →

Get Started

Enable mTLS in Minutes,
Not Months

Start with a single service. Issue your first client certificate. See mTLS working in your environment — free.

Deploy TLSMCP Free → Talk to the Team

Part of the [cyphers] ecosystem

HTTPS Node

Automated HTTPS for every node. Zero-config TLS termination and certificate management.

TLSMCP current

mTLS proxy and full certificate lifecycle automation for both client and server certificates.

TLS for Claude

Verified machine identity for AI agents and MCP connections. Built on TLSMCP.