mTLS Security

  • Updated on Jan 12, 2026
  • Published on Apr 28, 2025
Prev Next

Along with auth code flow, Platform 6 Integration Models also support Mutual TLS (mTLS), a variation on transport layer security (TLS) certificates, that extends secure communications provided by TLS by adding additional authentication between client and server. In mTLS, both the client and server have a certificate, and both sides authenticate using their public/private key pair.

mTLS security schema

From the securitySchemes object of an example imported integration model, the securityKey sets the mutualTLS authentication type, which supports ca, certificate, and key credentials.

How to apply mutual TLS authentication

To set up mTLS, you need trusted certificates.

To configure mTLS authentication:

  1. Go to Itential Platform > Admin Essentials > Integrations and select your integration from the left navigation.

  2. From the Integration UI, drag and drop your files into the drag-and-drop area to upload your certificate, key, and ca files. Alternatively, select click to browse to navigate to the files on your system.

  3. After the files are uploaded to the integration, select the enabled checkbox below tls to enforce mTLS and only allow a connection when mTLS authentication is successful.

    Tip: To allow a connection to proceed even if mTLS authentication fails, or a request is sent without a mutual client certificate, clear this checkbox.

  4. Click Save to retain your changes.

CyberArk CCP limitation for PEM key files

Important

CyberArk CCP cannot be used to store PEM-formatted key files. This is because CyberArk replaces newlines with spaces in password values, but the PEM file format uses newlines as part of its structure.

To work around this limitation, use one of the following approaches:

  • Upload directly: Upload your key file directly to your Integration in Itential Platform.
  • Use HashiCorp Vault: Store your key file in HashiCorp Vault and reference it using a $SECRET or $KEY Vault secret reference.