# Private-admin mTLS for Traefik

`private-admin` routers are configured to require client certificates via the Traefik TLS option `mtls-private-admin@file`.

## Certificate paths

- Trusted client CA bundle expected by Traefik:
  - `core/traefik/certs/ca/clients-ca.crt`
- CA private key (keep secret, never commit):
  - `core/traefik/certs/ca/clients-ca.key`
- Issued client certs:
  - `core/traefik/certs/clients/<client-name>/`

## Bootstrap

From repository root:

```bash
./core/traefik/scripts/init-mtls-ca.sh
./core/traefik/scripts/issue-mtls-client-cert.sh admin-laptop
```

The second command exports a PKCS#12 bundle (`.p12`) for browser import and also leaves PEM `.crt`/`.key` artifacts for CLI usage.

## Revocation workflow

Because Traefik is configured with `clientAuth.caFiles`, revoked cert serials are not enforced by default.

- Use `./core/traefik/scripts/revoke-mtls-client-cert.sh <client-name>` to quarantine a client cert bundle.
- For strict revocation, rotate the CA (`init-mtls-ca.sh` after removing old CA) and re-issue all trusted client certs.

## Deploy

After CA/certs are in place, restart Traefik to ensure updated files are loaded:

```bash
docker compose -f core/traefik/docker-compose.yml up -d traefik
```