Mutual Authentication

Mutual authentication, also known as two-way authentication, is a security process in which entities authenticate each other before actual communication occurs. In a network environment, this requires that both the client and the server must provide digital certificates to prove their identities. In a mutual authentication process, a connection can occur only if the client and the server exchange, verify, and trust each other’s certificates. The certificate exchange occurs by means of the Transport Layer Security (TLS) protocol. The core of this process is to make sure that clients communicate with legitimate servers, and servers cooperate only with clients who attempt access for legitimate purposes.

The mutual authentication process involves the following certificates:

Root CA certificate
Used to identify a certificate authority (CA) that signed a client's certificate. It is a self-signed certificate that meets the X.509 standard, defining the format of public key certificates. In IoT products, clients upload a root CA certificate or a certificate chain to verify that the certificates that client devices send to edge servers can be trusted. See Upload the Mutual Authentication root certificate.
Server SSL certificate
Used to identify edge servers to client devices over TLS and to establish a secure connection during the TLS handshake. It is the enhanced TLS certificate that you provide in your property configuration. See Associate a property hostname to an edge hostname.
Client SSL certificate
Used to identify client devices to edge servers over TLS. This certificate must meet the X.509 standard, defining the format of public key certificates.
The process of authenticating and establishing an encrypted channel using certificate-based mutual authentication involves the following steps:


  1. During configuration, administrators provide a root CA certificate or a certificate chain used to sign certificates on client devices. They can do it in Certificate Provisioning System (CPS). See Upload the Mutual Authentication root certificate.
  2. The OTA Updates application deploys the certificate chain to the Akamai Platform.
  3. Once the signing CA certificates propagate across the Akamai Platform, client device can connect by using MQTT, HTTP, or WebSocket protocols and request access to a topic.
  4. The edge server presents its certificate to the client device.
  5. The client device checks its list of trusted CAs and verifies the server’s certificate.
  6. If successful, the client device sends its certificate to the edge server.
  7. The edge server checks its list of CAs and verifies the client device’s certificate.
  8. If successful, a secure connection between the server and the client device is established.

How to verify a certificate chain

To pass certificate verification on edge servers, clients need to provide the root CA certificate or the root and intermediate certificates that signed the certificate that client devices use to identify themselves. The certificate authority and intermediate certificates, known as a certificate chain, is a list of certificates issued by successive certificate authorities (CAs) that enables edge servers to verify that the client and all CAs are trustworthy.

In the figure, you can see a certificate chain that leads from a certificate that identifies a client through two intermediary CA certificates to the CA certificate for the root CA. In the figure, you can see a certificate chain that leads from a certificate that identifies a client through two intermediary CA certificates to the CA certificate for the root CA.


A certificate chain follows a path of certificates in the hierarchy up to the root CA certificate. In a certificate chain, each certificate must meet the following conditions:
  • Each certificate is followed by the certificate of its issuer.
  • Each certificate contains the name (DN) of that certificate's issuer, which is the same as the subject name of the next certificate in the chain.
  • Each certificate is signed with the private key of its issuer. The signature can be verified with the public key in the issuer's certificate, which is the next certificate in the chain.