---
title: Validate mTLS Certificates Before Auth
impact: CRITICAL
impactDescription: ensures mutual authentication between services
tags: mtls, certificates, authentication, service-mesh, security, csharp
---

## Validate mTLS Certificates Before Auth

Use Mutual TLS for service-to-service authentication.

**Configuration (Kestrel):**

```csharp
webBuilder.ConfigureKestrel(options =>
{
    options.ConfigureHttpsDefaults(httpsOptions =>
    {
        httpsOptions.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
        
        // Custom validation logic
        httpsOptions.ClientCertificateValidation = (cert, chain, errors) =>
        {
            return cert.Issuer == "CN=MyInternalCA";
        };
    });
});
```

**Authorization:**

```csharp
services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
    .AddCertificate();

[Authorize]
public IActionResult InternalApi() { }
```

**Tools:** Kestrel Configuration, OpenSSL