How to Implement Zero Trust with TLS Client Certificates

An introduction to the model and a quick way to deploy it

Dorai Ashok S A
Oct 21 · 4 min read
Image for post
Image for post
Credit: Image

the word implies, in a zero-trust security model, no device or user is trusted. And, every request received by the system goes through the validation and authentication steps. This essentially means, no device or user enters the private network of the organization, and only the application hosted on the edge provides access to them.

This is in contrast to the model of the trusted device, where on successful authentication, the device is trusted and is allowed access to the private network, such as in the case of Enterprise VPNs. The downside to this model is, when the trusted device gets compromised, the entire private network may be at risk. The upside is flexibility. When you have services using different protocols such as IMAP, XMPP, RDP, SSH, SMB, NFS, and so on, how do you authenticate every request at the edge?

Image for post
Image for post

As more and more services are available as web applications, it has become possible to deploy an application proxy on the edge, that authenticates and grants access to internal web applications. This provides zero-trust security if the authentication method used is robust and secure. Currently, the most popular authentication method is OAuth 2.0.

OAuth 2.0

While OAuth provides a layer of authentication, it is typically not sufficient. The access tokens that are stored on the device for authentication of every request can be compromised due to browser vulnerabilities, malicious extensions, and so on. There are downsides to OAuth, as well, as evident by the recent attacks, Beware of OAuth.

What if I say, your Email ID is all I need to takeover your account on your favorite website or an app. Sounds scary, right? This is what a bug in Sign in with Apple allowed me to do.

And, it is not uncommon for a login system itself to be vulnerable, such as the critical vulnerability in Sign in with Apple. Hence, while endpoint protection will help, it is important to have additional layers of authentication.

TLS Client Certificates

With HTTP/TLS being the de facto standard for web applications, one can use the client certificate feature of TLS protocol, as an additional layer of authentication. This provides additional security in the zero trust model, without any impact on the user experience/productivity. Once a user chooses the certificate for authentication, the Web Browser will remember it and continue to use it for further connections to the website. This way every connection established uses the client certificate and the user is not interrupted.

On the server-side, there are no special paths, every connection made to the server needs to present a valid client certificate, or else it simply fails. Popular web servers such as Apache HTTP server and Engine X (nginx) can be quickly configured to achieve this. The article “A Guide to Secure Internal Websites in 15 Minutes” provides the required steps.

Other than HTTP

Most protocols that run on top of TCP can easily support TLS since it is transparent to the application and can be deployed even as a proxy on the server. However, the same cannot be said on the client-side, the applications used by the end-users directly need to support TLS. And, adding the ability to handle TLS client certificates securely is not easy. Hence, this is likely not going to change, and HTTP will likely be the predominant user of TLS and TLS client certificates.

Best of both worlds

TLS client certificates provide the best of both enterprise VPNs and authentication proxies. They implement the zero trust model, unlike the model of the trusted device of an enterprise VPN, and fill the security gaps of an authentication proxy.

However, the complexity in managing TLS client certificates has been the primary downside. At 0th Root, we have taken great strides in simplifying their management within an organization, and have significantly reduced efforts needed to secure internal websites with them. Do check out our product 0th Root Secure Network.

0th Root Secure Network — 0SNet is a solution that secures the organization’s internal web applications with TLS client certificates. It implements a zero-trust security model and is available also as images on AWS, GCP, and Azure.

Image for post
Image for post

👋 Join FAUN today and receive similar stories each week in your inbox! Get your weekly dose of the must-read tech stories, news, and tutorials.

Follow us on Twitter 🐦 and Facebook 👥 and Instagram 📷 and join our Facebook and Linkedin Groups 💬

Image for post
Image for post

If this post was helpful, please click the clap 👏 button below a few times to show your support for the author! ⬇

FAUN

The Must-Read Publication for Creative Developers & DevOps Enthusiasts

Sign up for FAUN

By FAUN

Medium’s largest and most followed independent DevOps publication. Join thousands of aspiring developers and DevOps enthusiasts Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Dorai Ashok S A

Written by

Bulding 0th Root | SSHBI | 0th Root Secure Network

FAUN

FAUN

The Must-Read Publication for Creative Developers & DevOps Enthusiasts. Medium’s largest DevOps publication.

Dorai Ashok S A

Written by

Bulding 0th Root | SSHBI | 0th Root Secure Network

FAUN

FAUN

The Must-Read Publication for Creative Developers & DevOps Enthusiasts. Medium’s largest DevOps publication.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface.

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox.

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic.

Get the Medium app