Mutual TLS

Mutual TLS (mTLS) is a security protocol that enhances the security of communication between two parties, such as with Wise and a partner. The allows both parties to establish a trusted and encrypted channel for data exchange, ensuring that both entities can verify each other's identity.

Below is an overview of how Wise works to set up mTLS with partners:

1. Certificate Generation

Both parties first need to obtain digital certificates from a trusted Certificate Authority (CA). These certificates act as cryptographic credentials that validate the identity of each party.

2. Public Certificate Exchange

Each party exchanges their public certificates (not public keys) with each other. We provide public certificates for both our sandbox and production environments.

3. Certificate Validation

Upon receiving the public certificate from the other party, each party validates the certificate's authenticity, ensuring it is issued by a trusted Certificate Authority (CA) and not expired or revoked.

4. Certificate Installation

Each party must install the obtained public certificate on its respective server or endpoint that will be communicating with the other party.

5. TLS Handshake

When either party initiates a connection with the other party, the TLS handshake process begins. During this process, both parties present their public certificates to each other as part of the initial authentication.

6. Encryption and Data Exchange

Upon successful mutual authentication, the TLS connection is established with encryption keys negotiated. The parties can now securely exchange data over the encrypted channel.

In summary, each party needs to exchange, validate, and install the public certificate of the other party to enable mTLS. Public certificates contain the public keys along with additional information about the entity, and they are crucial for establishing a trusted and secure communication channel between the parties.

Setting Up mTLS

To configure mTLS, Wise will issue you public certificates for the environments you plan to use mTLS with. Additionally, Wise will require your public certificates to install on our side.

The process generally will be defined as the below:

  1. Wise will issue the partner the public certificates
  2. The partner will validate the public certificates, taking note of the expiry date of these certificates
  3. The partner will generate public certificates with the same expiry date as Wise's certificates. This ensures we are able to rotate at the same time each year.
  4. The partner will send the newly created certificates to Wise
  5. Both parties will install the certificates
  6. The partner will then use a new endpoint for all API calls that is specifically for mTLS
Once configured, Wise will only accept API calls via the mTLS endpoint. This ensures mTLS is enforced at all times.

Rotating Certificates

Wise requires that certificates be rotated on a yearly basis. The process to do this will be reviewed with you ahead of time, generally over a video call. It generally follows the above process for initial setup, with new certificates created and installed. This needs to be completed in a specific order so as to ensure no downtime.

This process can take up to 2 weeks to complete due to the nature of the changes, so it's important to ensure enough time is in place. We will contact you ahead of the certificate expiry to schedule this process.

It is recommended that this process be followed for both our sandbox and production environments, with sandbox first. This ensures the process is understood and any issues are discovered on the non-production environment.