...
The device name must be the cn (common name) in the cert presented. The platform verifies that the certificate passed in is for the device.
Flow
1. mTLS request comes into HAProxy. The request body contains the device name, system key, and other data.
2. HAProxy forwards the request to ClearBlade without TLS termination.
3. A separate ClearBlade TLS server will perform mTLS auth. If no root CA cert is set, the auth fails.
4. The TLS server will check if the supplied client certificate is revoked or in a CRL.
5. If the check is successful, the Cb-Mtls-Vertified and X-Client-Certificate headers are added to the request and forwarded to the router.
6. ClearBlade returns an auth token after checking the headers and request body.
7. The auth token returns should be used in normal MQTT connect flow or REST header requests.
If the device does not exist in the system, it will be created if mTLS auth is successful.
APIs
/admin/settings/mtls
GET, PUT (upsert), and DELETE support. Admin only.
...