> ## Documentation Index
> Fetch the complete documentation index at: https://docs.knotapi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# mTLS

> Configure mutual TLS (mTLS) authentication for enhanced API security using client certificates.

## Overview

All API requests made over <Tooltip tip="Mutual Transport Layer Security (mTLS) is an enhanced form of the standard TLS protocol, ensuring that both servers authenticate and validate each other's identities.">mTLS</Tooltip> use the following **unique domains** for each of Knot's environments:

| Environment | Domain                                 |
| ----------- | -------------------------------------- |
| Development | `https://mtls.development.knotapi.com` |
| Production  | `https://mtls.production.knotapi.com`  |

## Enabling mTLS

To enable mTLS, follow the steps below.

<Steps>
  <Step title="Generate a private key and corresponding CSR" titleSize="h3">
    Use your preferred method to generate a private key and corresponding <Tooltip tip="Certificate Signing Request: a file used in public key infrastructure (PKI) systems to request a digital certificate from a Certificate Authority (CA)">CSR</Tooltip> that meets the following requirements:

    1. The CSR uses RSA 2048 as the key algorithm.
    2. The CSR uses SHA2-256 as the hash algorithm.
    3. The Common Name (CN) attribute is assigned to your `client_id`.

    Below is an example using OpenSSL:

    ```
    openssl req \
        -new -sha256 -newkey rsa:2048 -nodes \
        -subj '/CN=[client_id]' \
        -keyout client.key -out client.req
    ```

    <Note>
      Ensure you keep the private key secure as it will be used later in API requests.
    </Note>
  </Step>

  <Step title="Provide the CSR to Knot" titleSize="h3">
    Forward the CSR file to Knot and request that it be activated for your `client_id`. You'll promptly receive a client certificate signed by Knot. This certificate, in conjunction with your private key, will serve as the authentication mechanism for interacting with the API.
  </Step>

  <Step title="Confirm mTLS is enabled" titleSize="h3">
    Receive the client certificate from signed by Knot and confirm that mTLS is enabled for a given environment.
  </Step>

  <Step title="Access the API over mTLS" titleSize="h3">
    Make all requests to the API with your `client_id` over mTLS. Attach the `client.cert` and `client.key` in your HTTP client.

    | Environment | Domain                                 |
    | ----------- | -------------------------------------- |
    | Development | `https://mtls.development.knotapi.com` |
    | Production  | `https://mtls.production.knotapi.com`  |
  </Step>
</Steps>