Nuvy - mTLS Documentation

mTLS Onboarding Guide

Certificate-based mutual authentication for Nuvy API

ⓘ

Flow Overview

▼

This guide describes step by step how a new client should perform mTLS (Mutual TLS) onboarding to consume protected endpoints of the Nuvy API. The goal is to ensure strong certificate-based authentication, where client and server validate each other before any HTTP request.

Client

→ CSR →

Nuvy CA

→ Client Cert →

Client

→ mTLS →

Nuvy API

Prerequisites

OpenSSL >= 1.1.1
Secure storage for sensitive files
Ability to configure certificates in application runtime

Algorithms

Key algorithm: RSA (CA: 4096 bits, Client: 2048 bits)
Signature / hash algorithm: SHA-256

Nuvy CA Certificate

▼

Nuvy will provide the client with the public CA certificate:

nuvy-ca.crt

This certificate is used only for validation and does not contain sensitive information. The client should store it securely for auditing and troubleshooting.

You can download the CA certificate from the "Download" tab.

Client Private Key Generation

▼

In the client's environment:

openssl genrsa -out nuvy-client.key 2048
chmod 600 nuvy-client.key

The client's private key must NEVER be shared with anyone, including Nuvy.

CSR Generation

▼

Generate a Certificate Signing Request (CSR):

openssl req -new \
  -key nuvy-client.key \
  -out nuvy-client.csr \
  -subj "/C=BR/O=CLIENT_NAME/OU=Production/CN=client-name"

Field	Description
CN	Unique client identifier
O	Company name
OU	Environment (e.g., Production)

Send CSR to Nuvy

▼

Send the following file to Nuvy through a secure channel previously agreed upon:

nuvy-client.csr

Certificate Issuance

▼

Nuvy will sign the CSR and generate the client certificate with:

ExtendedKeyUsage = clientAuth
KeyUsage = digitalSignature, keyEncipherment

The client will receive:

nuvy-client.crt

Local Validation (Mandatory)

▼

Before using in production, the client MUST validate:

openssl verify -CAfile nuvy-ca.crt nuvy-client.crt

Expected result:

nuvy-client.crt: OK

You can also use the "Validator" tab to verify your certificate online.

API Consumption with mTLS

▼

Example using curl:

curl -vk \
  --cert nuvy-client.crt \
  --key  nuvy-client.key \
  https://qa.mtls.nuvy.ai/test

A 404 response indicates mTLS success (TLS handshake was accepted, the endpoint simply doesn't exist).

Usage in Applications

▼

Code examples for common platforms:

Java

Configure KeyStore + TrustStore

Node.js

const agent = new https.Agent({ cert, key, ca });

Python

requests.get(url, cert=(crt, key), verify=ca)

Nuvy can provide additional examples on demand.

Rotation and Revocation

▼

When to rotate:

Key compromise
Certificate expiration
Environment change

Process:

Generate new key pair
Generate new CSR
New signature by Nuvy
Client update

Nuvy may revoke certificates at any time for security reasons.

Security Best Practices

▼

Protect *.key files with restricted permissions (chmod 600)
Never version-control private keys
Plan periodic certificate rotation
Monitor for ClientCertUntrusted errors in your logs

Troubleshooting

▼

Common error: ClientCertUntrusted

Certificate not signed by the correct CA
Incorrect CA in TrustStore
Expired certificate
HTTP/2 usage (try forcing HTTP/1.1)

Quick handshake test:

openssl s_client -connect qa.mtls.nuvy.ai:443 \
  -servername qa.mtls.nuvy.ai \
  -cert nuvy-client.crt \
  -key nuvy-client.key \
  -brief < /dev/null

Expected result:

CONNECTION ESTABLISHED

Client with Partner Certificate

▼

Some clients already use a certificate from another partner (e.g., for migration). In this case, the client sends Nuvy their client certificate and the full certificate chain (leaf + intermediate/root CAs).

Nuvy will then:

Extract the CA certificates from the chain
Configure the infrastructure to trust the client's CA
The client keeps using the same certificate and private key to connect to the Nuvy API

Contact

For onboarding, rotation, or incidents:

security@nuvy.ai

Download CA Certificate

Download the Nuvy CA public certificate (nuvy-ca.crt). This is step 1 of the onboarding process — you will need this certificate to verify that your signed client certificate is authentic.

Select environment:

SHA-256 Fingerprint

0C:FD:52:FF:F8:B9:F7:99:5A:F2:B3:7C:B7:89:73:27:88:16:30:A1:AB:F9:DE:DF:42:43:11:42:37:52:3C:60

This is the CA public certificate — it does not contain sensitive information and is safe to distribute.

Certificate Validator

After receiving your signed client certificate from Nuvy (step 5 of the guide), paste it here to confirm it was correctly issued by the Nuvy CA.

Paste your client certificate — nuvy-client.crt (PEM format):

Select environment to validate against:

How does this work?

This tool parses your PEM certificate and verifies that the Issuer field matches the Nuvy CA. The verification runs entirely in your browser - your certificate is never sent to any server.