# Configuring mTLS

VGS allows you to upload a TLS certificate along with the private key to establish a trusted connection with a third party service like Visa or Mastercard.

You can choose while uploading a certificate between Inbound and Outbound proxy.

### Inbound Proxy

`Caller (for example Visa callback) -> VGS Inbound proxy +[mTLS] -> Customer’s API`

### Outbound Proxy

`Caller -> VGS Outbound proxy [+mTLS] -> upstream (third-party)`

![mTLS](https://2096104711-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUreALQAfVnRMQEz110rC%2Fuploads%2Fgit-blob-aa971851b56730b27bf60f5862d8ba3b0903b5d1%2Fmtls.png?alt=media)

The **private key** is used to encrypt the data over the TLS connection. The encryption prevents the data from being modified while it transits through the network.

**TLS Certificate** identifies the server and the company associated with the server.

Any certificate you upload must be associated with a set of credentials for Outbound flow or a route (i.e. Upstream) for Inbound flow.

## Uploading a TLS Certificate

All your mutuals TLS certificates can be found on the dashboard in the **Vault Settings** section.

To upload a certificate:

* Click **Add Certificate**
* Provide certificate
* Provide private key
* Choose an access credential (for Outbound) or route id (for Inbound) to associate the certificate with
* Click **Save**

Once uploaded, the mutual TLS certificate will appear in the dashboard with appropriate cert description, proxy type, access credentials (for Outbound), and expiration date. In the preview window, you will be able to see the cert signer.

> Outbound Certificates are not tied to a specific Outbound Route, instead, they are tied to their access credentials. Thus, in order to use the certificate, the request must be authenticated with the relevant credentials (in the format USERNAME:<PASSWORD@VAULT_ID.ENV.verygoodproxy.com>). This allows flexibility in using the certificate with any Outbound Route.

## Deleting a TLS Certificate

To remove a mutual TLS certificate:

* Go to the **Vault Settings** section on the dashboard
* Choose the certificate and click the **x** icon on the right
* You will be prompted for confirmation of deletion
* If you agree, click **Remove Certificate** button

Please mind, the removing of certificate will lead to it no longer being used for TLS connection with third-party.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.verygoodsecurity.com/vault/http-proxy/mutual-tls-certificates.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.