Mutual TLS
Mutual TLS (mTLS) is a security protocol that enhances the security of communication between two parties, such as with Wise and a partner. The allows both parties to establish a trusted and encrypted channel for data exchange, ensuring that both entities can verify each other's identity.
Below is an overview of how Wise works to set up mTLS with partners:
Both parties first need to obtain digital certificates from a trusted Certificate Authority (CA). These certificates act as cryptographic credentials that validate the identity of each party.
Each party exchanges their public certificates (not public keys) with each other. We provide public certificates for both our sandbox and production environments.
Upon receiving the public certificate from the other party, each party validates the certificate's authenticity, ensuring it is issued by a trusted Certificate Authority (CA) and not expired or revoked.
Each party must install the obtained public certificate on its respective server or endpoint that will be communicating with the other party.
When either party initiates a connection with the other party, the TLS handshake process begins. During this process, both parties present their public certificates to each other as part of the initial authentication.
Upon successful mutual authentication, the TLS connection is established with encryption keys negotiated. The parties can now securely exchange data over the encrypted channel.
In summary, each party needs to exchange, validate, and install the public certificate of the other party to enable mTLS. Public certificates contain the public keys along with additional information about the entity, and they are crucial for establishing a trusted and secure communication channel between the parties.
To configure mTLS, Wise will issue you public certificates for the environments you plan to use mTLS with. Additionally, Wise will require your public certificates to install on our side.
The process generally will be defined as the below:
- Wise will issue the partner the public certificates
- The partner will validate the public certificates, taking note of the expiry date of these certificates
- The partner will generate public certificates with the same expiry date as Wise's certificates. This ensures we are able to rotate at the same time each year.
- The partner will send the newly created certificates to Wise
- Both parties will install the certificates
- The partner will then use a new endpoint for all API calls that is specifically for mTLS
Wise requires that certificates be rotated on a yearly basis. The process to do this will be reviewed with you ahead of time, generally over a video call. It generally follows the above process for initial setup, with new certificates created and installed. This needs to be completed in a specific order so as to ensure no downtime.
This process can take up to 2 weeks to complete due to the nature of the changes, so it's important to ensure enough time is in place. We will contact you ahead of the certificate expiry to schedule this process.