Skip to Content
Security & ComplianceCertificates & mTLS

Certificates & mTLS

The connector uses mutual TLS (mTLS) for secure authentication.

How mTLS Works

Unlike standard TLS where only the server proves identity, mTLS requires both parties to authenticate:

Connector                                    Gateway
    │                                            │
    │──── Client Hello ────────────────────────►│
    │◄─── Server Hello + Server Certificate ────│
    │                                            │
    │──── Verify Server Certificate             │
    │                                            │
    │──── Client Certificate ──────────────────►│
    │                                    Verify  │
    │                                    Client  │
    │                                    Cert    │
    │                                            │
    │◄─── TLS Established ─────────────────────│
    │                                            │

Certificate Structure

Connector Certificate

Contains:

  • Subject CN: connector/<tenant_id>/<connector_id>
  • Validity: 365 days
  • Key Usage: Client Authentication
  • Key Size: RSA 2048-bit

Example:

Subject: CN=connector/abc123-def456/conn-789
Issuer: CN=AD Unlock Connector CA
Valid From: Jan 1, 2024
Valid To: Jan 1, 2025

Certificate Authority

  • Dedicated CA for connector certificates
  • Private key in AWS CloudHSM
  • CA certificate distributed to gateways

Certificate Lifecycle

Generation

  1. Admin creates connector in portal
  2. Server generates key pair
  3. Certificate signed by CA
  4. Bundle created with cert, key, CA

Download

Connector bundle contains:

certs/
├── connector.pem      # Client certificate
├── connector-key.pem  # Private key
└── ca.pem            # CA certificate

Renewal

Before expiration:

  1. Portal shows warning (30 days before)
  2. Admin clicks “Renew Certificate”
  3. New certificate generated
  4. Download new bundle
  5. Replace on connector
  6. Restart service

Revocation

If compromised:

  1. Admin revokes certificate in portal
  2. Gateway rejects immediately
  3. Generate new certificate
  4. Deploy to connector

Security Considerations

Private Key Protection

# Restrict key file permissions
$acl = Get-Acl "C:\ADConnector\certs\connector-key.pem"
$acl.SetAccessRuleProtection($true, $false)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    "NT AUTHORITY\SYSTEM", "Read", "Allow"
)
$acl.AddAccessRule($rule)
Set-Acl "C:\ADConnector\certs\connector-key.pem" $acl

Certificate Pinning

The connector validates:

  • Server certificate chain
  • CA certificate matches expected
  • No expired certificates

No Root CA Trust

Connector does NOT trust system root CAs for gateway connection - only the specific AD Unlock CA.

Last updated on
Security ArchitectureData Privacy