{"id":"e716c0c5-732f-4411-8d2b-7a800b63b09e","shortId":"BxZEbz","kind":"skill","title":"mtls-configuration","tagline":"Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication.","description":"# mTLS Configuration\n\nComprehensive guide to implementing mutual TLS for zero-trust service mesh communication.\n\n## Do not use this skill when\n\n- The task is unrelated to mtls configuration\n- You need a different domain or tool outside this scope\n\n## Instructions\n\n- Clarify goals, constraints, and required inputs.\n- Apply relevant best practices and validate outcomes.\n- Provide actionable steps and verification.\n- If detailed examples are required, open `resources/implementation-playbook.md`.\n\n## Use this skill when\n\n- Implementing zero-trust networking\n- Securing service-to-service communication\n- Certificate rotation and management\n- Debugging TLS handshake issues\n- Compliance requirements (PCI-DSS, HIPAA)\n- Multi-cluster secure communication\n\n## Core Concepts\n\n### 1. mTLS Flow\n\n```\n┌─────────┐ ┌─────────┐\n│ Service │ │ Service │\n│ A │ │ B │\n└────┬────┘ └────┬────┘\n │ │\n┌────┴────┐ TLS Handshake ┌────┴────┐\n│ Proxy │◄───────────────────────────►│ Proxy │\n│(Sidecar)│ 1. ClientHello │(Sidecar)│\n│ │ 2. ServerHello + Cert │ │\n│ │ 3. Client Cert │ │\n│ │ 4. Verify Both Certs │ │\n│ │ 5. Encrypted Channel │ │\n└─────────┘ └─────────┘\n```\n\n### 2. Certificate Hierarchy\n\n```\nRoot CA (Self-signed, long-lived)\n │\n ├── Intermediate CA (Cluster-level)\n │ │\n │ ├── Workload Cert (Service A)\n │ └── Workload Cert (Service B)\n │\n └── Intermediate CA (Multi-cluster)\n │\n └── Cross-cluster certs\n```\n\n## Templates\n\n### Template 1: Istio mTLS (Strict Mode)\n\n```yaml\n# Enable strict mTLS mesh-wide\napiVersion: security.istio.io/v1beta1\nkind: PeerAuthentication\nmetadata:\n name: default\n namespace: istio-system\nspec:\n mtls:\n mode: STRICT\n---\n# Namespace-level override (permissive for migration)\napiVersion: security.istio.io/v1beta1\nkind: PeerAuthentication\nmetadata:\n name: default\n namespace: legacy-namespace\nspec:\n mtls:\n mode: PERMISSIVE\n---\n# Workload-specific policy\napiVersion: security.istio.io/v1beta1\nkind: PeerAuthentication\nmetadata:\n name: payment-service\n namespace: production\nspec:\n selector:\n matchLabels:\n app: payment-service\n mtls:\n mode: STRICT\n portLevelMtls:\n 8080:\n mode: STRICT\n 9090:\n mode: DISABLE # Metrics port, no mTLS\n```\n\n### Template 2: Istio Destination Rule for mTLS\n\n```yaml\napiVersion: networking.istio.io/v1beta1\nkind: DestinationRule\nmetadata:\n name: default\n namespace: istio-system\nspec:\n host: \"*.local\"\n trafficPolicy:\n tls:\n mode: ISTIO_MUTUAL\n---\n# TLS to external service\napiVersion: networking.istio.io/v1beta1\nkind: DestinationRule\nmetadata:\n name: external-api\nspec:\n host: api.external.com\n trafficPolicy:\n tls:\n mode: SIMPLE\n caCertificates: /etc/certs/external-ca.pem\n---\n# Mutual TLS to external service\napiVersion: networking.istio.io/v1beta1\nkind: DestinationRule\nmetadata:\n name: partner-api\nspec:\n host: api.partner.com\n trafficPolicy:\n tls:\n mode: MUTUAL\n clientCertificate: /etc/certs/client.pem\n privateKey: /etc/certs/client-key.pem\n caCertificates: /etc/certs/partner-ca.pem\n```\n\n### Template 3: Cert-Manager with Istio\n\n```yaml\n# Install cert-manager issuer for Istio\napiVersion: cert-manager.io/v1\nkind: ClusterIssuer\nmetadata:\n name: istio-ca\nspec:\n ca:\n secretName: istio-ca-secret\n---\n# Create Istio CA secret\napiVersion: v1\nkind: Secret\nmetadata:\n name: istio-ca-secret\n namespace: cert-manager\ntype: kubernetes.io/tls\ndata:\n tls.crt: \n tls.key: \n---\n# Certificate for workload\napiVersion: cert-manager.io/v1\nkind: Certificate\nmetadata:\n name: my-service-cert\n namespace: my-namespace\nspec:\n secretName: my-service-tls\n duration: 24h\n renewBefore: 8h\n issuerRef:\n name: istio-ca\n kind: ClusterIssuer\n commonName: my-service.my-namespace.svc.cluster.local\n dnsNames:\n - my-service\n - my-service.my-namespace\n - my-service.my-namespace.svc\n - my-service.my-namespace.svc.cluster.local\n usages:\n - server auth\n - client auth\n```\n\n### Template 4: SPIFFE/SPIRE Integration\n\n```yaml\n# SPIRE Server configuration\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: spire-server\n namespace: spire\ndata:\n server.conf: |\n server {\n bind_address = \"0.0.0.0\"\n bind_port = \"8081\"\n trust_domain = \"example.org\"\n data_dir = \"/run/spire/data\"\n log_level = \"INFO\"\n ca_ttl = \"168h\"\n default_x509_svid_ttl = \"1h\"\n }\n\n plugins {\n DataStore \"sql\" {\n plugin_data {\n database_type = \"sqlite3\"\n connection_string = \"/run/spire/data/datastore.sqlite3\"\n }\n }\n\n NodeAttestor \"k8s_psat\" {\n plugin_data {\n clusters = {\n \"demo-cluster\" = {\n service_account_allow_list = [\"spire:spire-agent\"]\n }\n }\n }\n }\n\n KeyManager \"memory\" {\n plugin_data {}\n }\n\n UpstreamAuthority \"disk\" {\n plugin_data {\n key_file_path = \"/run/spire/secrets/bootstrap.key\"\n cert_file_path = \"/run/spire/secrets/bootstrap.crt\"\n }\n }\n }\n---\n# SPIRE Agent DaemonSet (abbreviated)\napiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: spire-agent\n namespace: spire\nspec:\n selector:\n matchLabels:\n app: spire-agent\n template:\n spec:\n containers:\n - name: spire-agent\n image: ghcr.io/spiffe/spire-agent:1.8.0\n volumeMounts:\n - name: spire-agent-socket\n mountPath: /run/spire/sockets\n volumes:\n - name: spire-agent-socket\n hostPath:\n path: /run/spire/sockets\n type: DirectoryOrCreate\n```\n\n### Template 5: Linkerd mTLS (Automatic)\n\n```yaml\n# Linkerd enables mTLS automatically\n# Verify with:\n# linkerd viz edges deployment -n my-namespace\n\n# For external services without mTLS\napiVersion: policy.linkerd.io/v1beta1\nkind: Server\nmetadata:\n name: external-api\n namespace: my-namespace\nspec:\n podSelector:\n matchLabels:\n app: my-app\n port: external-api\n proxyProtocol: HTTP/1 # or TLS for passthrough\n---\n# Skip TLS for specific port\napiVersion: v1\nkind: Service\nmetadata:\n name: my-service\n annotations:\n config.linkerd.io/skip-outbound-ports: \"3306\" # MySQL\n```\n\n## Certificate Rotation\n\n```bash\n# Istio - Check certificate expiry\nistioctl proxy-config secret deploy/my-app -o json | \\\n jq '.dynamicActiveSecrets[0].secret.tlsCertificate.certificateChain.inlineBytes' | \\\n tr -d '\"' | base64 -d | openssl x509 -text -noout\n\n# Force certificate rotation\nkubectl rollout restart deployment/my-app\n\n# Check Linkerd identity\nlinkerd identity -n my-namespace\n```\n\n## Debugging mTLS Issues\n\n```bash\n# Istio - Check if mTLS is enabled\nistioctl authn tls-check my-service.my-namespace.svc.cluster.local\n\n# Verify peer authentication\nkubectl get peerauthentication --all-namespaces\n\n# Check destination rules\nkubectl get destinationrule --all-namespaces\n\n# Debug TLS handshake\nistioctl proxy-config log deploy/my-app --level debug\nkubectl logs deploy/my-app -c istio-proxy | grep -i tls\n\n# Linkerd - Check mTLS status\nlinkerd viz edges deployment -n my-namespace\nlinkerd viz tap deploy/my-app --to deploy/my-backend\n```\n\n## Best Practices\n\n### Do's\n- **Start with PERMISSIVE** - Migrate gradually to STRICT\n- **Monitor certificate expiry** - Set up alerts\n- **Use short-lived certs** - 24h or less for workloads\n- **Rotate CA periodically** - Plan for CA rotation\n- **Log TLS errors** - For debugging and audit\n\n### Don'ts\n- **Don't disable mTLS** - For convenience in production\n- **Don't ignore cert expiry** - Automate rotation\n- **Don't use self-signed certs** - Use proper CA hierarchy\n- **Don't skip verification** - Verify the full chain\n\n## Resources\n\n- [Istio Security](https://istio.io/latest/docs/concepts/security/)\n- [SPIFFE/SPIRE](https://spiffe.io/)\n- [cert-manager](https://cert-manager.io/)\n- [Zero Trust Architecture (NIST)](https://www.nist.gov/publications/zero-trust-architecture)\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["mtls","configuration","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows"],"capabilities":["skill","source-sickn33","skill-mtls-configuration","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/mtls-configuration","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34666 github stars · SKILL.md body (8,645 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-23T06:51:35.991Z","embedding":null,"createdAt":"2026-04-18T21:41:05.295Z","updatedAt":"2026-04-23T06:51:35.991Z","lastSeenAt":"2026-04-23T06:51:35.991Z","tsv":"'/)':896,902 '/etc/certs/client-key.pem':364 '/etc/certs/client.pem':362 '/etc/certs/external-ca.pem':337 '/etc/certs/partner-ca.pem':366 '/latest/docs/concepts/security/)':892 '/publications/zero-trust-architecture)':909 '/run/spire/data':509 '/run/spire/data/datastore.sqlite3':531 '/run/spire/secrets/bootstrap.crt':564 '/run/spire/secrets/bootstrap.key':560 '/run/spire/sockets':605,614 '/skip-outbound-ports:':691 '/spiffe/spire-agent:1.8.0':597 '/tls':421 '/v1':385,431 '/v1beta1':209,233,254,296,321,346,645 '0':711 '0.0.0.0':500 '1':131,143,194 '168h':515 '1h':520 '2':146,159,286 '24h':451,832 '3':149,368 '3306':692 '4':152,477 '5':156,618 '8080':275 '8081':503 '8h':453 '9090':278 'abbrevi':568 'account':542 'action':84 'address':499 'agent':548,566,577,586,593,602,610 'alert':826 'all-namespac':759,768 'allow':543 'annot':688 'api':328,353,652,667 'api.external.com':331 'api.partner.com':356 'apivers':206,230,251,293,318,343,382,404,428,484,569,642,679 'app':267,583,660,663 'appli':76 'apps/v1':570 'architectur':905 'ask':943 'audit':850 'auth':473,475 'authent':755 'authn':748 'autom':866 'automat':621,626 'b':137,182 'base64':715 'bash':696,740 'best':78,810 'bind':498,501 'boundari':951 'c':785 'ca':163,171,184,392,394,398,402,412,458,513,838,842,877 'cacertif':336,365 'cert':148,151,155,176,180,191,370,377,416,439,561,831,864,874,898 'cert-manag':369,376,415,897 'cert-manager.io':384,430,901 'cert-manager.io/)':900 'cert-manager.io/v1':383,429 'certif':24,110,160,425,433,694,699,722,822 'chain':886 'channel':158 'check':698,728,742,751,762,793 'clarif':945 'clarifi':70 'clear':918 'client':150,474 'clientcertif':361 'clienthello':144 'cluster':126,173,187,190,537,540 'cluster-level':172 'clusterissu':387,460 'commonnam':461 'communic':16,30,45,109,128 'complianc':118 'comprehens':33 'concept':130 'config':704,777 'config.linkerd.io':690 'config.linkerd.io/skip-outbound-ports:':689 'configmap':487 'configur':3,4,32,58,483 'connect':529 'constraint':72 'contain':589 'conveni':858 'core':129 'creat':400 'criteria':954 'cross':189 'cross-clust':188 'd':714,716 'daemonset':567,572 'data':422,495,507,525,536,552,556 'databas':526 'datastor':522 'debug':114,737,771,781,848 'default':214,238,301,516 'demo':539 'demo-clust':538 'deploy':632,799 'deploy/my-app':706,779,784,807 'deploy/my-backend':809 'deployment/my-app':727 'describ':922 'destin':288,763 'destinationrul':298,323,348,767 'detail':89 'differ':62 'dir':508 'directoryorcr':616 'disabl':280,855 'disk':554 'dnsname':463 'domain':63,505 'dss':122 'durat':450 'dynamicactivesecret':710 'edg':631,798 'enabl':200,624,746 'encrypt':157 'environ':934 'environment-specif':933 'error':846 'exampl':90 'example.org':506 'expert':939 'expiri':700,823,865 'extern':316,327,341,638,651,666 'external-api':326,650,665 'file':558,562 'flow':133 'forc':721 'full':885 'get':757,766 'ghcr.io':596 'ghcr.io/spiffe/spire-agent:1.8.0':595 'goal':71 'gradual':818 'grep':789 'guid':34 'handshak':116,139,773 'hierarchi':161,878 'hipaa':123 'host':307,330,355 'hostpath':612 'http/1':669 'ident':730,732 'ignor':863 'imag':594 'implement':19,36,99 'info':512 'input':75,948 'instal':375 'instruct':69 'integr':479 'intermedi':170,183 'intern':28 'issu':117,739 'issuer':379 'issuerref':454 'istio':195,217,287,304,312,373,381,391,397,401,411,457,697,741,787,888 'istio-ca':390,456 'istio-ca-secret':396,410 'istio-proxi':786 'istio-system':216,303 'istio.io':891 'istio.io/latest/docs/concepts/security/)':890 'istioctl':701,747,774 'jq':709 'json':708 'k8s':533 'key':557 'keymanag':549 'kind':210,234,255,297,322,347,386,406,432,459,486,571,646,681 'kubectl':724,756,765,782 'kubernetes.io':420 'kubernetes.io/tls':419 'legaci':241 'legacy-namespac':240 'less':834 'level':174,225,511,780 'limit':910 'linkerd':619,623,629,729,731,792,796,804 'list':544 'live':169,830 'local':308 'log':510,778,783,844 'long':168 'long-liv':167 'manag':25,113,371,378,417,899 'match':919 'matchlabel':266,582,659 'memori':550 'mesh':44,204 'mesh-wid':203 'metadata':212,236,257,299,324,349,388,408,434,488,573,648,683 'metric':281 'migrat':229,817 'miss':956 'mode':198,221,245,272,276,279,311,334,359 'monitor':821 'mountpath':604 'mtls':2,7,31,57,132,196,202,220,244,271,284,291,620,625,641,738,744,794,856 'mtls-configur':1 'multi':125,186 'multi-clust':124,185 'mutual':5,37,313,338,360 'my-app':661 'my-namespac':441,634,654,734,801 'my-servic':464,685 'my-service-cert':436 'my-service-tl':446 'my-service.my':467 'my-service.my-namespace.svc':469 'my-service.my-namespace.svc.cluster.local':462,470,752 'mysql':693 'n':633,733,800 'name':213,237,258,300,325,350,389,409,435,455,489,574,590,599,607,649,684 'namespac':215,224,239,242,262,302,414,440,443,468,493,578,636,653,656,736,761,770,803 'namespace-level':223 'need':60 'network':23,103 'networking.istio.io':295,320,345 'networking.istio.io/v1beta1':294,319,344 'nist':906 'nodeattestor':532 'noout':720 'o':707 'open':93 'openssl':717 'outcom':82 'output':928 'outsid':66 'overrid':226 'partner':352 'partner-api':351 'passthrough':673 'path':559,563,613 'payment':260,269 'payment-servic':259,268 'pci':121 'pci-dss':120 'peer':754 'peerauthent':211,235,256,758 'period':839 'permiss':227,246,816,949 'plan':840 'plugin':521,524,535,551,555 'podselector':658 'polici':250 'policy.linkerd.io':644 'policy.linkerd.io/v1beta1':643 'port':282,502,664,678 'portlevelmtl':274 'practic':79,811 'privatekey':363 'product':263,860 'proper':876 'provid':83 'proxi':140,141,703,776,788 'proxy-config':702,775 'proxyprotocol':668 'psat':534 'relev':77 'renewbefor':452 'requir':74,92,119,947 'resourc':887 'resources/implementation-playbook.md':94 'restart':726 'review':940 'rollout':725 'root':162 'rotat':111,695,723,837,843,867 'rule':289,764 'safeti':950 'scope':68,921 'secret':399,403,407,413,705 'secret.tlscertificate.certificatechain.inlinebytes':712 'secretnam':395,445 'secur':27,104,127,889 'security.istio.io':208,232,253 'security.istio.io/v1beta1':207,231,252 'selector':265,581 'self':165,872 'self-sign':164,871 'server':472,482,492,497,647 'server.conf':496 'serverhello':147 'servic':13,15,29,43,106,108,134,135,177,181,261,270,317,342,438,448,466,541,639,682,687 'service-to-servic':12,105 'set':824 'short':829 'short-liv':828 'sidecar':142,145 'sign':166,873 'simpl':335 'skill':50,97,913 'skill-mtls-configuration' 'skip':674,881 'socket':603,611 'source-sickn33' 'spec':219,243,264,306,329,354,393,444,580,588,657 'specif':249,677,935 'spiffe.io':895 'spiffe.io/)':894 'spiffe/spire':478,893 'spire':481,491,494,545,547,565,576,579,585,592,601,609 'spire-ag':546,575,584,591 'spire-agent-socket':600,608 'spire-serv':490 'sql':523 'sqlite3':528 'start':814 'status':795 'step':85 'stop':941 'strict':197,201,222,273,277,820 'string':530 'substitut':931 'success':953 'svid':518 'system':218,305 'tap':806 'task':53,917 'templat':192,193,285,367,476,587,617 'test':937 'text':719 'tls':6,38,115,138,310,314,333,339,358,449,671,675,750,772,791,845 'tls-check':749 'tls.crt':423 'tls.key':424 'tool':65 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'tr':713 'trafficpolici':309,332,357 'treat':926 'trust':11,22,42,102,504,904 'ts':852 'ttl':514,519 'type':418,527,615 'unrel':55 'upstreamauthor':553 'usag':471 'use':17,48,95,827,870,875,911 'v1':405,485,680 'valid':81,936 'verif':87,882 'verifi':153,627,753,883 'viz':630,797,805 'volum':606 'volumemount':598 'wide':205 'without':640 'workload':175,179,248,427,836 'workload-specif':247 'www.nist.gov':908 'www.nist.gov/publications/zero-trust-architecture)':907 'x509':517,718 'yaml':199,292,374,480,622 'zero':10,21,41,101,903 'zero-trust':9,20,40,100","prices":[{"id":"383cc773-d166-4683-8af7-6699dab8a854","listingId":"e716c0c5-732f-4411-8d2b-7a800b63b09e","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:41:05.295Z"}],"sources":[{"listingId":"e716c0c5-732f-4411-8d2b-7a800b63b09e","source":"github","sourceId":"sickn33/antigravity-awesome-skills/mtls-configuration","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/mtls-configuration","isPrimary":false,"firstSeenAt":"2026-04-18T21:41:05.295Z","lastSeenAt":"2026-04-23T06:51:35.991Z"}],"details":{"listingId":"e716c0c5-732f-4411-8d2b-7a800b63b09e","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"mtls-configuration","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34666,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-23T06:41:03Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"b2aa85143cb290794aee8384e74079a03a3361a1","skill_md_path":"skills/mtls-configuration/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/mtls-configuration"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"mtls-configuration","description":"Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/mtls-configuration"},"updatedAt":"2026-04-23T06:51:35.991Z"}}