Skip to content
All writing Part 02 of 06 · PKI & TLS Behind a Migration Ticket
Engineering · 3 min read

One-Way TLS vs Mutual TLS (mTLS)

Both are TLS. The only structural difference is who has to show a certificate: one-way, just the server; mutual, the client too, so both ends check each other.

Both are TLS (encryption plus identity). The only structural difference is who has to show a certificate.

  • One-way TLS (ordinary HTTPS): only the server shows a certificate. The client checks the server, but the server doesn’t cryptographically check the client. Your browser confirms “is this really the bank?”, but the bank doesn’t confirm you this way. Your identity is handled later, at the app level, by logging in.
  • Mutual TLS (mTLS): the server also asks the client for a certificate, so the client has to show one too. Both sides check each other, and both refuse the connection (“fail closed”) if either certificate is missing, expired, or untrusted.
One-way TLS Mutual TLS (mTLS) Client Server cert no cert only the server proves itself Client Server cert cert both prove, fail closed if either is bad
One-way TLS asks "who is the server?". Mutual TLS asks it in both directions.

Which one fits follows from that:

  • One-way for public, browser-facing endpoints, where you can’t hand a certificate to every visitor.
  • Mutual for traffic between your own services, where both ends are your infrastructure and can each hold a certificate. As a bonus, the server can decide what this client is allowed to do straight from the certificate’s identity.

In this migration: the two “SSL”s in the project split on exactly this line. The front door is one-way TLS (any browser can reach it), while Kafka on port 9093 is mutual TLS (the sender shows a client certificate, which is what lets the Kafka server enforce per-certificate permissions).

One-way TLS asks “who is the server?”. Mutual TLS asks it in both directions.


References

Related: the certificate each side shows is built from the three certificate files; the front door runs one-way (ingress TLS termination) while Kafka on 9093 runs mutual. Back to the overview: two SSLs behind one migration ticket.

Tags #tls #security
// connect

Be brave | Be wise | Be grateful

21 BreakinCode

// elsewhere
LinkedInMedium (lang: en)Life RecordYoutube
wh:~$William Hung· © 2026 Taipei · GMT+8 · Available for collaboration