Home / Knox E-FOTA / Knox E-FOTA On-Premises / Knox E-FOTA On-Premises knowledge base articles /

Set up mutual TLS

Last updated December 30th, 2025

To use mutual TLS, you must create the client certificate and its private key. Enter the following commands to set up your certificate for mutual TLS:

  1. Create your private key:

    openssl genrsa -out key.pem 4096

  2. Create your certificate:

    openssl req -x509 -new -key key.pem -out cert.pem -days 365

  3. Encrypt your private key:

    openssl pkcs8 -topk8 -in key.pem -out key.pem -v2 aes-128-cbc

  4. If you’re going to manually transfer the certificates to your devices, combine the two files to create efota_client.pem. If you’re going to use the Knox E-FOTA On-Premises agent’s managed configuration, skip this step.

    cat key.pem cert.pem > efota_client.pem

  5. Create a copy of cert.pem named client.pem for HAProxy:

    copy cert.pem client.pem

  6. Add the settings below to your HAProxy config file haproxy.cfg to install the client certificate and only allow authenticated clients:

    frontend fe_web 
    bind *:80
    bind *:443 ssl crt /usr/local/etc/haproxy/example-sec-fota.net.pem ca-file /usr/local/etc/haproxy/client.pem verity optional

    # monitoring uri
    monitor-uri /health

    http-request capture req.hdr(Host) len 100

    acl acl_dfm_device path_reg ^/dfm/device/v1/*
    acl has_client_cert ssl_fc_has_crt eq 1
    http-request deny if acl_dfm_device !has_client_cert
    use_backend dfmCoreBackend if acl_dfm_device

  7. To apply the client certificate to your devices, you can either manually transfer the certificate file or push the certificate information through the Knox E-FOTA On-Premises agent’s managed configuration.

    1. If you’re manually transferring the certificate file, enter the password used to encrypt the private key in the efota_config file on the line after the server URL, then push the efota.pem, efota_client.pem, and efota_config files to the Download folder on your devices. Ensure that the agent app apk is also in the Downloads folder when you run it to install the app. For details about installing the agent app, see Download and install the app.

    2. If you’re using the Knox E-FOTA On-Premises agent’s managed configuration, fill in the following configuration fields:

      • client_cert_pem — Paste the contents of cert.pem to push the client certificate to your devices.
      • client_key_pem — Paste the contents of key.pem to push the encrypted private key to your devices.
      • client_pem_password — Enter the password used to encrypt your private key in step 3.

      For details about the managed configuration, see how to Install the client through your EMM.

Is this page helpful?