Clockspring uses mutual TLS (mTLS) internally by design. This is not an optional hardening step and not something added later for compliance. It is foundational to how the platform secures itself.
This article explains what mTLS does in Clockspring, why it exists, and what problems it prevents.
No configuration steps. Just the why.
What mTLS Is (Quickly)
Standard TLS:
Server proves its identity
Client trusts the server
Mutual TLS:
Server proves its identity
Client also proves its identity
Both sides authenticate each other using certificates
mTLS answers two questions at once:
Who am I talking to?
Who is allowed to talk to me?
Where Clockspring Uses mTLS
Clockspring uses mTLS for internal platform communication, including:
Node-to-node communication in a cluster
Communication between Clockspring and the Registry
These connections are:
always encrypted
always authenticated on both sides
never anonymous
This is true regardless of environment size or deployment model.
Why mTLS Is Required in Clockspring
1. Prevents Unauthorized Nodes
Without mTLS:
Any system that can reach the network could attempt to join a cluster
Spoofed nodes could inject or intercept data
With mTLS:
Only nodes with trusted certificates can participate
Identity is enforced cryptographically
This is non-negotiable in clustered systems.
2. Protects Internal Traffic Even on “Trusted” Networks
Many breaches happen on internal networks.
mTLS ensures:
encryption even inside the data center
protection against lateral movement
no reliance on network location alone
“Inside the firewall” is not a security boundary.
3. Enables Strong Trust Between Components
Clockspring and the Registry must trust each other completely.
mTLS guarantees:
the Registry knows it is talking to a real Clockspring node
Clockspring knows it is talking to the correct Registry
certificates can be rotated without changing application logic
Trust is explicit, not assumed.
mTLS vs User Authentication
These are separate concerns and often confused.
mTLS:
secures system-to-system communication
identifies machines and services
operates below the application layer
User authentication:
controls who can log in
governs UI and API access
operates at the application layer
mTLS does not replace user authentication. It protects the platform itself.
Why You Can’t “Turn It Off”
Disabling mTLS would mean:
nodes trust any peer on the network
Registry trust is implicit
internal traffic can be intercepted or forged
That breaks core security guarantees of the platform. For Clockspring, mTLS is infrastructure security, not a feature toggle.
Common Misunderstandings
“We already have a firewall”
Firewalls control where traffic can go, not who is on the other end. mTLS controls identity. You need both.
“We terminate TLS at a load balancer”
Load balancers affect client-facing TLS only.
They do not replace internal mTLS requirements between Clockspring components.
“This is only for large clusters”
Single-node and small deployments still use mTLS because:
the same security model applies
consistency prevents misconfiguration later
upgrades and scaling do not change trust assumptions
How This Fits with Other Security Topics
mTLS works together with:
keystores and truststores
internal CA management
outbound TLS validation
DMZ ingestion patterns
It is the foundation that everything else builds on.
Summary
Clockspring uses mTLS to protect itself.
It authenticates every internal connection
It prevents unauthorized nodes and spoofing
It secures traffic even on trusted networks
It is required, not optional
Once you understand mTLS as platform identity, the rest of Clockspring’s security model becomes much easier to reason about.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article