docker/core/traefik/MTLS.md

Private-admin mTLS for Traefik

private-admin routers are configured to require client certificates via the Traefik TLS option mtls-private-admin@file.

Certificate paths

• Trusted client CA bundle expected by Traefik:
  • core/traefik/certs/ca/clients-ca.crt
• CA private key (keep secret, never commit):
  • core/traefik/certs/ca/clients-ca.key
• Issued client certs:
  • core/traefik/certs/clients/<client-name>/

Bootstrap

From repository root:

./core/traefik/scripts/init-mtls-ca.sh
./core/traefik/scripts/issue-mtls-client-cert.sh admin-laptop

The second command exports a PKCS#12 bundle (.p12) for browser import and also leaves PEM .crt/.key artifacts for CLI usage.

Revocation workflow

Because Traefik is configured with clientAuth.caFiles, revoked cert serials are not enforced by default.

• Use ./core/traefik/scripts/revoke-mtls-client-cert.sh <client-name> to quarantine a client cert bundle.
• For strict revocation, rotate the CA (init-mtls-ca.sh after removing old CA) and re-issue all trusted client certs.

Deploy

After CA/certs are in place, restart Traefik to ensure updated files are loaded:

docker compose -f core/traefik/docker-compose.yml up -d traefik