Stay organized with collections
Save and categorize content based on your preferences.
Mutual TLS (mTLS) is an industry standard protocol for mutual authentication
between a client and a server. The mTLS protocol ensures that both the client
and server, at each end of a network connection, are who they claim they are by
verifying that both possess the private key associated with the client
certificate.
What is a client certificate?
A client certificate, also called a Transport Layer Security (TLS) certificate,
is a file that contains important information for verifying a device's identity.
The certificate information includes the public key, a statement of who issued
the certificate (certificates can be issued by certificate authorities or self-
signed), and the certificate's expiration date.
How the Google APIs validate device identity
The TLS protocol uses a technique called public key infrastructure (PKI), which
relies on a pair of asymmetric keys: a public key and a private key. Anything
encrypted with the private key can be decrypted only with the public key. The
Google Cloud APIs use the TLS protocol to verify the identity of a device by
decrypting the message encrypted by the private key using the public key of the
certificate during the mTLS handshake. The successful decryption proves the
possession of the private key which is only available from trusted devices.
To enable the mTLS handshake and validation process, a client must do the following:
Establish an mTLS connection with the Google APIs by using mTLS-specific API
endpoints. The mTLS-specific endpoints have the following format: [service].mtls.googleapis.com
Discover and use the device certificate during the mTLS handshake. If you are
using Endpoint Verification for certificate deployment, this type of certificate
is automatically discovered and used by the supported clients.
The following diagram illustrates the mTLS handshake between a client and a
Google API server:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Understand mutual TLS at Google Cloud\n\nMutual TLS (mTLS) is an industry standard protocol for mutual authentication\nbetween a client and a server. The mTLS protocol ensures that both the client\nand server, at each end of a network connection, are who they claim they are by\nverifying that both possess the private key associated with the client\ncertificate.\n\n### What is a client certificate?\n\nA client certificate, also called a Transport Layer Security (TLS) certificate,\nis a file that contains important information for verifying a device's identity.\nThe certificate information includes the public key, a statement of who issued\nthe certificate (certificates can be issued by certificate authorities or self-\nsigned), and the certificate's expiration date.\n\n### How the Google APIs validate device identity\n\nThe TLS protocol uses a technique called public key infrastructure (PKI), which\nrelies on a pair of asymmetric keys: a public key and a private key. Anything\nencrypted with the private key can be decrypted only with the public key. The\nGoogle Cloud APIs use the TLS protocol to verify the identity of a device by\ndecrypting the message encrypted by the private key using the public key of the\ncertificate during the mTLS handshake. The successful decryption proves the\npossession of the private key which is only available from trusted devices.\n\nTo enable the mTLS handshake and validation process, a client must do the following:\n\n- Establish an mTLS connection with the Google APIs by using mTLS-specific API\n endpoints. The mTLS-specific endpoints have the following format: `[service].mtls.googleapis.com`\n\n- Discover and use the device certificate during the mTLS handshake. If you are\n using Endpoint Verification for certificate deployment, this type of certificate\n is automatically discovered and used by the supported clients.\n\nThe following diagram illustrates the mTLS handshake between a client and a\nGoogle API server:\n\n\u003cbr /\u003e\n\n\u003cbr /\u003e\n\nWhat's next\n-----------\n\n- [Set up certificate-based access](/chrome-enterprise-premium/docs/set-up-cba)"]]
