mTLS Settings
~~~~~~~~~~~~~

StoredSafe supports using mutual TLS (mTLS) as Multi Factor Authentication (MFA) mechanism,
the concept relies on the client having a client X.509 certificate on a local secure device,
such as a smartcard or using the PIV-slots on a Yubikey to hold and protect the private key.

Several things are needed to use mTLS as an MFA:

-  A trusted Certificate Authority to issue the client certificates
-  The public key (certificate) in PEM-format of the trusted CA
-  An HTTP or HTTPS endpoint to fetch CRL (Certificate Revocation Lists) for the trusted CA (Optional)

.. note:: If not fetching and using a CRL from the trusted Certificate Authorities, a compromised or lost client certificate might be mis-used.

::

	┌─────────────────────────────────────────────────────────────────────────────┐
	│         Service Management on node1 (Version 2.X.X-dev build XXXX)          │
	└─────────────────────────────────────────────────────────────────────────────┘

	┌─┬───────────────────────────────────────────────────────────────────────────┐
	│1│Activate or Change Client Authentication (mTLS) Settings                   │
	│2│Client CA Settings                                                         │
	│3│Client CRL Settings                                                        │
	│4│Client Verify Depth                                                        │
	│9│Disable mTLS                                                               │
	└─┴───────────────────────────────────────────────────────────────────────────┘

	Move the cursor or enter a it's corresponding number (Q to Quit)

	Main> System Settings> Service> mTLS>

.. toctree::
   :maxdepth: 2

   mtls_enable.rst
   mtls_client_ca.rst
   mtls_client_crl.rst
   mtls_verify_depth.rst
   mtls_disable.rst