It’s no longer enough for internal services to talk to each other based on network-segment trust alone. In Kubernetes, on virtual machines, or in hybrid setups, sharing a segment doesn’t mean a call is actually coming from an authorized service. mTLS closes that gap by encrypting the traffic and requiring the client to prove its identity with a certificate. Nginx is a fairly handy starting point for adopting this model in a small, controlled way.
What are we building?
The goal is to have a specific internal service accept only calls bearing a client certificate signed by the corporate CA. The simple model has three components:
- An Nginx using a server certificate
- A CA that issues client certificates
- The target service running behind it
Nginx validates the client certificate, applies extra policy based on the CN or SAN, and forwards traffic to the backend service.
Basic Nginx configuration
Sample block:
server {
listen 443 ssl;
server_name internal-api.example.local;
ssl_certificate /etc/nginx/tls/server.crt;
ssl_certificate_key /etc/nginx/tls/server.key;
ssl_client_certificate /etc/nginx/tls/ca.crt;
ssl_verify_client on;
location / {
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_pass http://backend_service;
}
}This setup makes the client certificate mandatory. But for production use, just turning on ssl_verify_client on isn’t sufficient; the certificate lifecycle and authority mapping need separate attention.
Why is the certificate lifecycle critical?
Most mTLS projects fall apart at the renewal step. For a healthy model:
- Use short-lived client certificates
- Automate distribution
- Test the revocation or access-removal flow
- Track in your inventory which service account uses which certificate
Long-lived client certificates are the TLS version of the shared SSH key problem.
Which fields should you watch in practice?
When setting up mTLS through Nginx, these areas pay off quickly:
- Trusting only a specific CA chain
- Mapping services using
subjectAltNameor distinguished name - Forwarding the client identity to the backend through trusted headers
- Sending failed validations to a dedicated log stream
This not only delivers access control but also creates security visibility.
Logging and observability
mTLS debugging can look hard at first because the connection drops at the TLS layer. So at minimum the access and error logs should capture:
- Certificate validation outcome
- Client DN or SAN information
- Target upstream
- TLS version and cipher
These records become an authentication trail for the security team and a connection-troubleshooting tool for the platform team.
Where does it work as a good starting point?
Nginx-based mTLS is especially handy in cases like:
- Controlled migration between a monolith and microservices
- Integration services around an ERP environment
- Internal APIs running on virtual machines
- A narrow security need before standing up a service mesh
At larger scale, a service mesh or a central identity infrastructure may be preferable; still, the Nginx approach offers a controlled and understandable starting point.
Conclusion
mTLS-based service identity verification with Nginx moves internal-network security from segment boundaries to the level of service identity. For a successful implementation, the real issue isn’t the lines of configuration; it’s thinking about CA management, certificate lifetime, identity mapping, and log visibility together. Done right, this model makes internal service traffic far clearer and more defensible.