Portainer Documentation
Official WebsiteKnowledge BasePricingGet 3 Nodes of BE Free
2.21 LTS
2.21 LTS
  • Welcome
  • What's new in version 2.21
  • Release Notes
  • Getting Started
    • Introduction
    • Portainer architecture
    • Lifecycle policy
    • Requirements and prerequisites
    • Install Portainer BE
      • Set up a new Portainer BE Server installation
        • Docker Standalone
          • Install Portainer BE with Docker on Linux
          • Install Portainer BE with Docker on WSL / Docker Desktop
          • Install Portainer BE with Docker on Windows Container Service
        • Docker Swarm
          • Install Portainer BE with Docker Swarm on Linux
          • Install Portainer BE with Docker Swarm on WSL / Docker Desktop
          • Install Portainer BE with Docker Swarm on Windows Container Service
        • Kubernetes
          • Install Portainer BE on your Kubernetes environment
          • Install Portainer BE with Kubernetes on WSL / Docker Desktop
        • Initial setup
    • Install Portainer CE
      • Set up a new Portainer CE Server installation
        • Docker Standalone
          • Install Portainer CE with Docker on Linux
          • Install Portainer CE with Docker on WSL / Docker Desktop
          • Install Portainer CE with Docker on Windows Container Service
        • Docker Swarm
          • Install Portainer CE with Docker Swarm on Linux
          • Install Portainer CE with Docker Swarm on WSL / Docker Desktop
          • Install Portainer CE with Docker Swarm on Windows Container Service
        • Kubernetes
          • Install Portainer CE on your Kubernetes environment
          • Install Portainer CE with Kubernetes on WSL / Docker Desktop
        • Initial setup
    • Add an environment to an existing installation
    • Updating Portainer
      • Updating on Docker Standalone
      • Updating on Docker Swarm
      • Updating on Kubernetes
      • Updating on Nomad
      • Updating the Edge Agent
      • Updating from Portainer 1.x
      • Switching to Portainer Business Edition
        • Upgrade to Business Edition from within Portainer Community Edition
        • Docker Standalone
        • Docker Swarm
        • Kubernetes
        • Upgrading Agent-only deployments
  • Using Portainer
    • Home
      • Snapshot browsing
      • OpenAMT
    • Docker/Swarm
      • Dashboard
      • Templates
        • Application
        • Custom templates
        • Deploy a stack
        • Deploy a container
      • Stacks
        • Add a new stack
        • Inspect or edit a stack
        • Create a template from a deployed stack
        • Webhooks
        • Migrate or duplicate a stack
        • Remove a stack
      • Services
        • Add a new service
        • Configure service options
        • Scale a service
        • View the status of a service task
        • View service logs
        • Roll back a service
        • Webhooks
      • Containers
        • Add a new container
        • View a container's details
        • Inspect a container
        • Edit or duplicate a container
        • Advanced container settings
        • Webhooks
        • Attach a volume to a container
        • View container logs
        • View container statistics
        • Access a container's console
        • Change container ownership
        • Remove a container
      • Images
        • Pull an image
        • Build a new image
        • Import an image
        • Export an image
      • Networks
        • Add a new network
        • Remove a network
      • Volumes
        • Add a new volume
        • Browse a volume
        • Remove a volume
      • Configs
        • Add a new config
        • Remove a config
      • Secrets
        • Add a new secret
        • Remove a secret
      • Events
      • Host
        • Details
        • Setup
        • Registries
      • Swarm
        • Details
        • Cluster visualizer
        • Setup
        • Registries
    • Kubernetes
      • Dashboard
      • kubectl shell
      • Kubeconfig
      • Custom Templates
        • Add a new custom template
        • Edit a custom template
        • Remove a custom template
      • Namespaces
        • Add a new namespace
        • Manage a namespace
        • Manage access to a namespace
        • Remove a namespace
      • Helm
      • Applications
        • Add a new application using a form
        • Add a new application using a manifest
        • Inspect an application
        • Inspect a Helm application
        • Edit an application
        • Webhooks
        • Detach a volume from an application
        • Remove an application
      • Networking
        • Services
        • Ingresses
          • Add an Ingress manually
          • Add an Ingress using a manifest
          • Remove an Ingress
      • ConfigMaps & Secrets
        • Add a ConfigMap
        • Add a Secret
      • Volumes
        • Inspect a volume
        • Remove a volume
      • More Resources
        • Service Accounts
        • Cluster Roles
        • Roles
      • Cluster
        • Details
        • Inspect a node
        • Setup
        • Security constraints
        • Registries
    • Azure ACI
      • Dashboard
      • Container instances
        • Add a new container
        • Remove a container
    • Nomad
    • Edge Compute
      • Edge Groups
      • Edge Stacks
        • Add a new Edge Stack
      • Edge Jobs
      • Edge Configurations
      • Waiting Room
      • Edge Templates
        • Application
        • Custom
    • Account settings
  • Administering Portainer
    • User-related
      • Users
      • Add a new user
      • Turn a user into an administrator
      • Reset a user's password
      • Teams
        • Add a new team
        • Add a user to a team
      • Roles
    • Environment-related
      • Environments
      • Add a new environment
        • Add a local environment
        • Add a Docker Standalone environment
          • Install Portainer Agent on Docker Standalone
          • Connect to the Docker API
          • Connect to the Docker Socket
          • Install Edge Agent Standard on Docker Standalone
          • Install Edge Agent Async on Docker Standalone
        • Add a Docker Swarm environment
          • Install Portainer Agent on Docker Swarm
          • Connect to the Docker API
          • Connect to the Docker Socket
          • Install Edge Agent Standard on Docker Swarm
          • Install Edge Agent Async on Docker Swarm
        • Add a Kubernetes environment
          • Install Portainer Agent on your Kubernetes environment
          • Install Edge Agent Standard on Kubernetes
          • Install Edge Agent Async on Kubernetes
          • Import an existing Kubernetes environment
        • Add an ACI environment
        • Add a Nomad environment
        • Provision KaaS Cluster
          • Civo
          • Akamai Connected Cloud
          • DigitalOcean
          • Google Cloud
          • AWS
          • Azure
        • Create a Kubernetes cluster
          • MicroK8s
            • Offline installation
        • Add an environment via the Portainer API
      • Auto onboarding
      • Groups
      • Tags
      • Manage access to environments
      • Manage access to environment groups
      • Update & Rollback
    • Registries
      • Add a new registry
        • Add a DockerHub account
        • Add an AWS ECR registry
        • Add a Quay.io registry
        • Add a ProGet registry
        • Add an Azure registry
        • Add a Gitlab registry
        • Add a GitHub registry
        • Add a custom registry
      • Browse a registry
      • Manage a registry
    • Licenses
    • Logs
      • Authentication
      • Activity
    • Notifications
    • Settings
      • General
      • Authentication
        • Authenticate via LDAP
        • Authenticate via Active Directory
        • Authenticate via OAuth
      • Shared credentials
        • Add Civo credentials
        • Add Akamai Connected Cloud credentials
        • Add DigitalOcean credentials
        • Add Google Cloud credentials
        • Add AWS credentials
        • Add Azure credentials
        • Add SSH credentials
      • Edge Compute
  • Frequently Asked Questions
    • Portainer Concepts
    • Installing
    • Upgrading
    • Troubleshooting
    • Contributing
  • Advanced Topics
    • CLI configuration options
    • App templates
      • Build and host your own app templates
      • App template JSON format
    • The Portainer Edge Agent
    • Access control
    • Reset the admin user's password
    • Security and compliance
    • Encrypting the Portainer database
    • Using your own SSL certificate with Portainer
    • Using mTLS with Portainer
    • Stream auth and activity logs to an external provider
    • Using Portainer with reverse proxies
      • Deploying Portainer behind Traefik Proxy
      • Deploying Portainer behind nginx reverse proxy
    • How Relative Path Support works in Portainer
    • Helm chart configuration options
    • Docker roles and permissions
    • Kubernetes roles and bindings
    • Deprecated and removed features
  • API
    • Accessing the Portainer API
    • API documentation
    • API usage examples
  • Get More Help
    • Knowledge Base
    • Portainer Academy
    • YouTube
    • GitHub
    • Slack
    • Discord
    • Open a support request
  • Contribute to Portainer
    • Contribute
    • Build instructions
      • Set up a macOS build environment
      • Set up a Linux build environment
Powered by GitBook
On this page
  • Requirements
  • Configuring the Portainer Server
  • Configure mTLS during installation
  • Configure mTLS post installation
  • Deploying the Edge Agents
  • Docker Standalone
  • Docker Swarm
  • Kubernetes

Was this helpful?

Edit on GitHub
  1. Advanced Topics

Using mTLS with Portainer

PreviousUsing your own SSL certificate with PortainerNextStream auth and activity logs to an external provider

Last updated 2 months ago

Was this helpful?

Mutual TLS (or mTLS) is a certificate-based system whereby the client and server (in this case, the Portainer Edge Agent and the Portainer Server) authenticate each other cryptographically via a trusted source (a certificate authority). This can be used as an extra layer of security to protect the communications between the Edge Agent and Portainer. Under this setup, if a third-party system attempts to communicate with the Portainer Server and is not using a certificate signed by the certificate authority it will be rejected.

This article will walk you through the process of deploying the Portainer Server and the Edge Agents with mTLS support.

mTLS support is only available in Portainer Business Edition.

Requirements

In order to configure Portainer with mTLS support, you will need the following:

  • A Portainer Server and a Portainer Edge Agent.

  • A certificate authority (CA). You can use your own corporate CA or a CA for which you completely control the certificate issuance policy.

  • The CA certificate for your certificate authority, in PEM format (mtlsca.crt).

  • A domain (or subdomain) you can point to your Portainer Server instance to be specifically used for mTLS. This will be the domain the server certificate is issued for.

  • A server certificate (mtlsserver.crt) and corresponding key (mtlsserver.key) issued by your CA for the Portainer Server, in PEM format. Ensure these are issued with serverAuth selected for extendedKeyUsage. This certificate should have the domain (or subdomain) that will be used for mTLS as the Subject Alternative Name (SAN).

  • A client certificate (client.crt) and corresponding key (client.key) issued by your CA for the Edge Agent, in PEM format. Ensure these are issued with clientAuth selected for extendedKeyUsage.

Configuring the Portainer Server

To use mTLS with your Edge Agents, the Portainer Server instance must be configured with mTLS support. This can either be done during the initial installation of the Portainer Server instance, or after installation through the .

Configure mTLS during installation

When deploying your Portainer Server, you will need to make the CA certificate, server certificate and server key available to Portainer. How you do this will depend on your deployment.

Docker Standalone

On your Docker host, upload your CA certificate (mtlsca.crt), server certificate (mtlsserver.crt) and server key (mtlsserver.key) into a directory that will be bind mounted into the Portainer container. In this example we assume your certificates are located at /root/certs.

Modify your docker run command to mount the /root/certs directory to /certs and add the --mtlscacert, --mtlscert, and --mtlskey options:

docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always \ 
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v portainer_data:/data \
    -v /root/certs:/certs \
    portainer/portainer-ee:2.21.5 \
    --mtlscacert /certs/mtlsca.crt \    
    --mtlscert /certs/mtlsserver.crt \
    --mtlskey /certs/mtlsserver.key

This will start Portainer using your provided CA and certificates.

Docker Swarm

To add mTLS certificates to Portainer Server on Docker Swarm during installation, we recommend adding the necessary files as secrets and then referencing those secrets within the YAML used to deploy Portainer.

First, upload your CA certificate (mtlsca.crt), server certificate (mtlsserver.crt) and server key (mtlsserver.key) into a directory that will be referenced by the secret creation. In this example we assume your certificates are located at /root/certs. Once you have uploaded the files, create your secrets as follows:

docker secret create portainer.mtlscacert /root/certs/mtlsca.crt
docker secret create portainer.mtlscert /root/certs/mtlsserver.crt
docker secret create portainer.mtlskey /root/certs/mtlsserver.key

Modify your Portainer YAML file to attach the secrets and add the --mtlscacert, --mtlscert and --mtlskey options:

  portainer:
    image: portainer/portainer-ee:2.21.5
    command: -H tcp://tasks.agent:9001 --tlsskipverify --mtlscacert /run/secrets/portainer.mtlscacert --mtlscert /run/secrets/portainer.mtlscert --mtlskey /run/secrets/portainer.mtlskey
    ports:
      - "9443:9443"
      - "9000:9000"
      - "8000:8000"
    volumes:
      - portainer_data:/data
    networks:
      - agent_network
    deploy:
      mode: replicated
      replicas: 1
      placement:
        constraints: [node.role == manager]
    secrets:
        - portainer.mtlscacert
        - portainer.mtlsscert
        - portainer.mtlskey

and to add the secrets definitions to include the secrets we just created:

secrets:
  portainer.mtlscacert:
    external: true
  portainer.mtlscert:
    external: true
  portainer.mtlskey:
    external: true

Kubernetes (via Helm)

If it doesn't already exist, create the portainer namespace:

kubectl create namespace portainer

Next, create a secret containing the CA, certificate and matching private key:

kubectl create secret generic portainer-mtls-certs-secret -n portainer \
    --from-file=mtlsca.crt=ca.crt \
    --from-file=mtlscert.crt=server.crt \
    --from-file=mtlskey.key=server.key

Replace ca.crt, server.crt and server.key in the above command with the paths to your CA certificate, certificate and matching key respectively.

Install Portainer via Helm with the mtls.existingSecret parameter set to the name of the secret you just created:

helm install -n portainer portainer portainer/portainer \
    --set mtls.existingSecret=portainer-mtls-certs-secret \
    --set enterpriseEdition.enabled=true
helm install -n portainer portainer portainer/portainer \
    --set mtls.existingSecret=portainer-mtls-secret \
    --set service.type=LoadBalancer \
    --set enterpriseEdition.enabled=true

Configure mTLS post installation

If you already have Portainer Server deployed, you can configure mTLS support through the Portainer UI.

As an admin user, from the left menu select Settings then Edge Compute. Toggle on Enable Edge Compute features if it isn't already on and click Save Settings. Then scroll down to the mTLS Certificate section.

Here you can enable the use of mTLS with the Use separate mTLS cert toggle, and upload the CA certificate, server certificate and server key using the buttons for TLS CA certificate, TLS certificate and TLS key respectively.

Deploying the Edge Agents

Once you have the Portainer Server instance configured to use mTLS, you can then configure your Edge Agent deployments to use it as well.

When deploying an Edge Agent you will be provided with a command to run by the Portainer UI. We will take that command and modify it for mTLS support.

Docker Standalone

On your Docker host, upload your CA certificate (mtlsca.crt), client certificate (client.crt) and client key (client.key) into a directory that will be bind mounted into the Edge Agent container. In this example we assume your certificates are located at /root/certs.

Once the certificates are in place and the secrets created, you can begin to set up your Edge Agent within the Portainer UI.

When doing so, remember to use the domain (or subdomain) you chose for mTLS usage (and that the server certificate was issued for) as the Portainer API server URL and tunnel address (if appropriate).

When you have completed the Edge Agent setup in the Portainer UI and have your deployment command, modify the command to mount the /root/certs directory to /certs, change the EDGE_INSECURE_POLL option to 0, and add the --mtlscacert, --mtlscert, and --mtlskey options:

docker run -d \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /var/lib/docker/volumes:/var/lib/docker/volumes \
  -v /:/host \
  -v /root/certs:/certs \
  -v portainer_agent_data:/data \
  --restart always \
  -e EDGE=1 \
  -e EDGE_ID=your-edge-id \
  -e EDGE_KEY=your-edge-key \
  -e EDGE_INSECURE_POLL=0 \
  --name portainer_edge_agent \
  portainer/agent:2.21.5 \
  --mtlscacert /certs/mtlsca.crt \
  --mtlscert /certs/client.crt \
  --mtlskey /certs/client.key

Run the command to deploy your Edge Agent with mTLS support.

Docker Swarm

To add mTLS certificates to the Edge Agent, we recommend adding the necessary files as secrets and then referencing those secrets within the YAML used to deploy Portainer.

First, upload your CA certificate (mtlsca.crt), client certificate (client.crt) and client key (client.key) into a directory that will be referenced by the secret creation. In this example we assume your certificates are located at /root/certs. Once you have uploaded the files, create your secrets as follows:

docker secret create portainer.mtlscacert /root/certs/mtlsca.crt
docker secret create portainer.mtlscert /root/certs/client.crt
docker secret create portainer.mtlskey /root/certs/client.key

Once the certificates are in place and the secrets created, you can begin to set up your Edge Agent within the Portainer UI.

When doing so, remember to use the domain (or subdomain) you chose for mTLS usage (and that the server certificate was issued for) as the Portainer API server URL and tunnel address (if appropriate).

When you have completed the Edge Agent setup in the Portainer UI and have your deployment command, modify the command to change the EDGE_INSECURE_POLL option to 0 and add the --mtlscacert, --mtlscert and --mtlskey options, using the secrets we defined above:

docker network create \
  --driver overlay \
  portainer_agent_network;

docker service create \
  --name portainer_edge_agent \
  --network portainer_agent_network \
  -e EDGE=1 \
  -e EDGE_ID=your-edge-id \
  -e EDGE_KEY=your-edge-key \
  -e EDGE_INSECURE_POLL=0 \
  -e AGENT_CLUSTER_ADDR=tasks.portainer_edge_agent \
  --mode global \
  --constraint 'node.platform.os == linux' \
  --mount type=bind,src=//var/run/docker.sock,dst=/var/run/docker.sock \
  --mount type=bind,src=//var/lib/docker/volumes,dst=/var/lib/docker/volumes \
  --mount type=bind,src=//,dst=/host \
  --mount type=volume,src=portainer_agent_data,dst=/data \
  portainer/agent:2.21.5 \
  --mtlscacert /run/secrets/portainer.mtlscacert \
  --mtlscert /run/secrets/portainer.mtlscert \
  --mtlskey /run/secrets/portainer.mtlskey

Run the commands to deploy your Edge Agent with mTLS support.

Kubernetes

At present, mTLS support for the Portainer Agent running on a Kubernetes environment is a work in progress. If you require instructions for deploying a Portainer Agent with mTLS on a Kubernetes environment, please .

get in touch with our support team
Edge Compute settings