Mutual TLS (mTLS) with FastAPI and Uvicorn

The Challenge:

The Approach

We Need two CAs:

Nuts and Bolts

Testing and Implementing

Phase 1: Ensure TLS/SSL is working

uvicorn main:app — ssl-certfile <fullchain certificate in PEM> — ssl-keyfile <RSA / ECC Private Key>  — port 443

Phase 2: For Testing CERT_OPTIONAL Configuration

uvicorn main:app 
— ssl-certfile <fullchain certificate in PEM> — ssl-keyfile <RSA / ECC Private Key>
ssl-cert-reqs 1 --ssl-ca-certs <fullchain certificates in PEM>
— port 443

Browser Asking for a Certificate.

Clicking Cancel

Phase 3: For Testing CERT_REQUIRED Configuration

uvicorn main:app 
— ssl-certfile C:\Certbot\live\cryptoroo.xyz\fullchain.pem — ssl-keyfile C:\Certbot\live\cryptoroo.xyz\privkey.pem
— ssl-cert-reqs 2 — ssl-ca-certs E:\GITHUB\cryptoroo_ca\complete.crt
— port 443

Postman Call with no Client Cert:

Configuring Postman to Use SSL Certificates for https://fastapi-mtls.cryptoroo.xyz/docs

Refer to here for more details: https://learning.postman.com/docs/sending-requests/certificates/

Success!!:

Verify that the certificate is in fact passed in:

Testing With OpenSSL:

openssl s_client -connect fastapi-mtls.cryptoroo.xyz:443 -cert <path to your mtls cert> -key <path to your mtls key>

We then Should get a command Prompt at the bottom:

Type In the Following to test a GET to the Root (/)

GET / HTTP/1.1
Host: fastapi-mtls.cryptoroo.xyz

Summary:

To Do:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store