MTLS - generate certificate to nodejs client side

Question

We need to communicate between our ec2 server and our customer server via Mutual TLS. The requests are sent from our server to our customer server - so we are the client here.

I read this post, talking about how to generate the files.

The first step is to create a certificate authority (CA) that both the client and server trust. The CA is just a public and private key with the public key wrapped up in a self-signed X.509 certificate.

Our cert and their cert - should be signed from the same root CA? who should provide it?

The code in my side should be like:

const req = https.request(
  {
    hostname: 'myserver.internal.net',
    port: 443,
    path: '/',
    method: 'GET',
    cert: fs.readFileSync('client.crt'),
    key: fs.readFileSync('client.key'),
    ca: fs.readFileSync('ca.crt')
  },
  res => {
    res.on('data', function(data) {
      // do something with response
    });
  }
);

So what should we provide each other? We don't exactly understand and they are not providing more details, just asked us to give them a certificate...

Answer 1

Our cert and their cert - should be signed from the same root CA? who should provide it?

Since the control of the client certificate is done at the TLS server side (ie at the customer) it depends fully on what they expect. They might require a publicly signed certificate, they might require a certificate signed by their own CA. Or they might simply check that a specific certificate gets used and will also accept self-signed certificates for this.