Authentication with mTLS

The Pismo implementation of Mutual Transport Layer Security (mTLS) is an end-to-end security process that verifies the identity of both sides of the communication stream, the client and the Pismo platform. This gives clients an added layer of trust and security, and ensures that the Pismo platform can only be accessed by clients with a signed certificate authority (CA).

How the mTLS process works

The following is an overview of how the authentication process works on the Pismo platform. During the process, if either side fails to present a valid certificate, the connection ends and no data is transmitted in either direction.

  1. The client connects to the Pismo platform.
  2. The Pismo platform delivers its TLS certificate.
  3. The client verifies the certificate.
  4. The client presents its certificate to the Pismo platform.
  5. The Pismo platform validates the certificate.
  6. The Pismo platform grants access to the client.
  7. The client and platform exchange information over the encrypted TLS connection.

Important details

The Pismo mTLS process ensures that all parties involved in the connection are who they claim to be. This protocol keeps Pismo in compliance with mandatory legislation, such as the European Union's eIDAS regulation and the revised Payment Services Directive (PSD2).

Pismo uses Cloudflare to provide signed certificates for the mTLS process with a three years expiration period. If clients wish to use certificates from other signing authorities, a risk letter will have to be created as Pismo cannot guarantee that the parties in each connection are who they claim to be. In addition to the certificates, Pismo uses the Cloudflare Web Application Firewall (WAF), a more robust service against distributed denial-of-service (DDoS) attacks.

If you are interested in configuring mTLS, contact your Pismo representative to begin the process.