---
title: "Managing mTLS with the C# client"
description: "Configure mutual TLS (mTLS) for Aerospike Database Enterprise Edition using the C# client."
---

# Managing mTLS with the C# client

> For the complete documentation index see: [llms.txt](https://aerospike.com/docs/llms.txt)
> 
> All documentation pages available in markdown.

Aerospike Database Enterprise Edition supports standard TLS and mutual authentication TLS (mTLS). This page describes how to configure a C# application to connect to an Aerospike cluster that uses mTLS.

You can find a fully-functional example project in the [aerospike-tls-examples](https://github.com/aerospike-examples/aerospike-tls-examples) GitHub repository.

## Keys and certificates

For mTLS, both the client and server must have their own private key and certificate. In the following example, they are both signed by the same Certificate Authority (CA).

Install the certificates and the key on the Aerospike server nodes:

-   CA Certificate: `example.ca.crt`
-   Server Certificate: `example.server.crt`
-   Server Private Key: `example.server.key`

Install the certificates and the key on the C# client nodes:

-   CA Certificate: `example.ca.crt`
-   Client Certificate: `example.client.crt`
-   Client Private Key: `example.client.key`

::: protect private keys
Protect your private keys, and never share them. Public keys are meant to be shared freely. Public keys encrypt; private keys decrypt. Anyone who acquires your private key can impersonate you.
:::

## Aerospike configuration

The following example `aerospike.conf` configuration shows only the stanzas and directives that are relevant for this TLS configuration:

Terminal window

```bash
network {

    tls example.server {

        ca-file /opt/aerospike/etc/certs/example.ca.crt

        cert-file /opt/aerospike/etc/certs/example.server.crt

        key-file /opt/aerospike/etc/private/example.server.key

    }

    service {

        tls-address any

        tls-port 4000

        tls-name example.server

        tls-authenticate-client example.client

    }

}
```

The `tls` block in the `network` stanza defines the TLS configuration for the Aerospike Database certificate. This is used in both standard TLS as well as in mTLS.

The name `example.server` is known as the _TLS name_. This must match the value of the Common Name (CN) or Subject Alternative Name (SAN) of the server certificate `example.server.crt`. It must also be referenced in the application code to connect to the cluster. The following command verifies that the certificate has the expected CN value in the subject:

Command

Terminal window

```bash
openssl x509 -in example.server.crt -text -noout | grep -E -- "Subject:"
```

Example output

```text
Subject: CN = example.server, O = "Aerospike, Inc.", C = US
```

The [tls-authenticate-client](https://aerospike.com/docs/database/reference/config#network__tls-authenticate-client) directive specifies `example.client`. This must match the value of the Common Name (CN) or Subject Alternative Name (SAN) of the client certificate `example.client.crt`. The following command verifies that the certificate has the expected CN value in the subject:

Command

Terminal window

```bash
openssl x509 -in example.client.crt -text -noout | grep -E -- "Subject:"
```

Example output

```text
Subject: CN = example.client, O = "Aerospike, Inc.", C = US
```

::: bypass cn and san verification
The `tls-authenticate-client` directive includes a value of `any`, which bypasses the step in which the Common Name (CN)/Subject Alternative Names (SAN) are verified.
:::

## C# client TLS configuration

During the TLS handshake, the client sends its certificate and a message encrypted with the client’s private key to the server. The C# client passes client certificates to the server using the [`TlsPolicy.clientCertificates`](https://aerospike.com/apidocs/csharp/api/Aerospike.Client.TlsPolicy.html) field.

Import the client certificate and private key into a PKCS #12 (`.pfx`) file, then load it in your application:

```csharp
using Aerospike.Client;

using System.Security.Cryptography.X509Certificates;

TlsPolicy tlsPolicy = new();

X509Certificate2 clientCert = new(

    "/etc/aerospike/ssl/example.client.pfx",

    "changeit"

);

tlsPolicy.clientCertificates = new X509CertificateCollection(new X509Certificate[] { clientCert });
```

::: trust the ca certificate
The C# client validates the server certificate against the operating system’s trusted certificate store. Install the CA certificate (`example.ca.crt`) in the system or container trust store.
:::

If your cluster uses PKI-based user authentication (the client certificate’s CN is the Aerospike username), set `AuthMode.PKI` in the client policy. For transport-only mTLS with password-based users, omit `authMode` or leave it at the default `AuthMode.INTERNAL`:

```csharp
ClientPolicy policy = new()

{

    tlsPolicy = tlsPolicy,

    authMode = AuthMode.PKI

};
```

## C# application

A C# application that connects to an Aerospike cluster using mTLS:

-   Must enable TLS in the client policy.
-   Must specify the host’s TLS name.
-   Must provide the client certificate in `TlsPolicy.clientCertificates`.
-   Should log Aerospike debug messages when troubleshooting.

The following example connects to a cluster using mTLS:

```csharp
using Aerospike.Client;

using System.Security.Cryptography.X509Certificates;

Host host = new("127.0.0.1", "example.server", 4000);

TlsPolicy tlsPolicy = new();

X509Certificate2 clientCert = new(

    "/etc/aerospike/ssl/example.client.pfx",

    "changeit"

);

tlsPolicy.clientCertificates = new X509CertificateCollection(new X509Certificate[] { clientCert });

ClientPolicy policy = new()

{

    tlsPolicy = tlsPolicy,

    authMode = AuthMode.PKI

};

AerospikeClient client = new(policy, host);
```

The TLS name must match the Common Name (CN) or Subject Alternative Name (SAN) in the server certificate, as well as the `tls-name` used in the Aerospike configuration file.

To log Aerospike debug messages, see the C# client [logging usage](https://aerospike.com/docs/develop/client/csharp/logging/).

For standard TLS without mutual authentication, see [Connecting](https://aerospike.com/docs/develop/client/csharp/connect/#tls-secured-connection).

See the [TlsPolicy API documentation](https://aerospike.com/apidocs/csharp/api/Aerospike.Client.TlsPolicy.html) for additional TLS configuration options, including protocol selection and certificate revocation.