Set up mutual TLS (mTLS) between two services

Verified steps

1. Create or obtain a private certificate authority (CA) whose certificates will be trusted by both services; generate CA key material and a self-signed CA certificate using a tool such as openssl or cfssl, storing the CA private key securely in a secrets manager
2. Issue a server certificate signed by your CA for the server-side service, and issue a separate client certificate signed by the same CA for the calling service; embed the Subject Alternative Name (SAN) matching the server's hostname in the server certificate
3. Configure the server to present its certificate and to require client certificate verification; provide the CA certificate (or bundle) as the trusted root so the server can validate client certs
4. Configure the client to present its certificate and private key on outbound connections, and to verify the server certificate against the same CA bundle
5. Test the connection with a tool that supports client certificate authentication; verify that a connection without a client certificate is rejected with a TLS handshake error, not a 401 or 403
6. Automate certificate rotation before expiry: issue new client and server certificates, deploy them, and revoke the old ones; maintain a CRL or OCSP responder if runtime revocation is required