What is mutual TLS (mTLS) and what is the purpose of its certificates in QuRouter?

Applicable Products

Hardware

• QHora-321
• QHora-322

Software

• QuRouter 2.4.2 and later versions

Overview

This tutorial explains how QuRouter utilizes mutual TLS (mTLS) and its certificates to facilitate secure communication between multiple QNAP products and services. By implementing mTLS, QuRouter enhances data protection and provides strong security for corporate networks.

What is mTLS?

Mutual TLS (mTLS) is an enhanced version of Transport Layer Security (TLS), a cryptographic protocol designed to authenticate both parties in a network connection. In contrast to standard TLS, which verifies only the server's identity, mTLS ensures that both the client and server authenticate each other. This two-way authentication is achieved by confirming that both sides hold valid private keys corresponding to their certificates. As a result, mTLS strengthens the trust between devices and services.

What certificate authorities (CAs) are used by mTLS?

A root TLS certificate is essential in mTLS for establishing a trusted connection. This certificate enables an organization to operate as its own certificate authority. Every certificate used by authorized clients and servers must be linked to this root certificate. As a self-signed certificate, the root certificate is created and managed by the organization itself, forming the basis for authenticating devices and services within the network.

Why does QuRouter use mTLS?

QuRouter adopts mTLS to provide secure communication between services, incorporating both encryption and mutual authentication. This approach utilizes certificates to bolster security within corporate networks and facilitate integration with QNAP products, such as the Airgap+ backup solution paired with Hybrid Backup Sync.

In the case of QuRouter, mTLS is vital for establishing a trusted communication pathway. For example, during the setup of Airgap+, the Hybrid Backup Center relies on mTLS to interact with QuRouter, enabling it to securely manage the port link status while ensuring authenticated communication.

How to configure mTLS in QuRouter?

1. Log in to QuRouter.
2. Go to System > Access Control > Access Control Settings.
3. Next to Mutual TLS (mTLS), click.

Note

When you enable mTLS, QuRouter requires certificates to access its web interface, as part of the mTLS mechanism. To keep logging in with just your account and password, simply cancel any certificate prompts that appear in your browser. Typically, the certificate prompt appears only once and does not return after being canceled, but it may reappear after you restart your PC.

An example of a certificate selection prompt displayed in QuRouter. 

How to manage signed certificates in QuRouter?

You can view signed certificates in QuRouter or revoke a certificate to prevent the service from communicating with QuRouter and managing the router.

1. Log in to QuRouter.
2. Navigate to System > Access Control > Certificates.

Note

To revoke a certificate, click .

Further Reading

How to Set Up Airgap+ to Protect Your HBS Backups