Recipe: Mutual TLS (mTLS) service-to-service
Enforce bidirectional certificate verification between Meridian microservices using short-lived X.509 leaf certificates issued by your internal CA.
Prerequisites
- Internal PKI with a root CA trusted by all services
- Meridian Gateway v2.4+ deployed in your mesh
- Service identity provisioned via SPIFFE or static SAN
Step 1 — Issue leaf certificates
Generate an ECDSA P-256 key pair and CSR per service. The certificate must include the SPIFFE ID in the SAN URI field. Meridian's sidecar rejects any peer whose SAN does not match the expected identity.
step ca certificate "spiffe://meridian/payments" payments.crt payments.keyStep 2 — Configure the sidecar
Mount the leaf cert, private key, and CA bundle into the sidecar. Set tls_mode to strict_mutual and provide the allowed peer SAN glob.
tls: mode: strict_mutual cert_file: /etc/meridian/tls/payments.crt key_file: /etc/meridian/tls/payments.key ca_file: /etc/meridian/tls/ca-bundle.pem peer_san: "spiffe://meridian/*"
Step 3 — Verify the handshake
Restart the sidecar and tail the audit log. A successful mTLS handshake emits a peer_verified event containing the remote SAN and certificate fingerprint. Rejected connections surface as peer_rejected with a TLS alert code.
Rotation strategy
Issue leaf certs with a 24-hour TTL. The sidecar hot-reloads when it detects a new file on disk. Overlap validity windows by 6 hours to prevent downtime during rollout.