MTLS
Mutual TLS. The practice that requires the client to present a certificate in addition to the server certificate, for bidirectional authentication.
Definition
mTLS (mutual TLS) designates the TLS configuration in which the server requires the client to present a valid X.509 certificate in addition to presenting its own. This dual transport-layer authentication replaces or complements application-layer authentication (password, JWT, OAuth) and is mandatory for many secure EDI exchanges: PEPPOL AS4, certain enterprise SFTP connections, EBICS bank-to-corporate exchanges.
Origin
The mTLS mechanism has been defined since TLS 1.0 (RFC 2246, 1999) through the CertificateRequest message sent by the server, then CertificateVerify on the client side. It was preserved and clarified in TLS 1.3 (RFC 8446). The term "mTLS" became commonly used in the early 2010s with the rise of API-driven services and zero-trust architectures.
Example in context
A PEPPOL Access Point must present its peers with a certificate issued by OpenPEPPOL, and require the sending AP's OpenPEPPOL certificate in return. The mutual TLS 1.3 handshake rejects any connection from a non-certified client and records the confirmed identity in access logs. It is the only authentication mechanism between APs: no password is exchanged.