# 

Languages
=> /posts/2026-04-06-dn42-ssh-mtls-auth/ 🇬🇧English


# DN42 SSH-mTLS auth

Currently in DN42 there are several services that can authenticate a user against data store in the registry. All of them use a challenge-response OTP model:
* receiving an email to you MNTner address
* signing a random string with your SSH/GPG private key

Currently with Kioubit & iEdon auth you can setup a password once you have logged in with email or private key.

But all of these are too "simple", and are restricted to the browser. If only we could authenticate people using private keys with the HTTPS protocol ...
Wait, that's mTLS isn't it ?

## Proposal
I hereby propose a new and convoluted (but decentralized & stateless) authentication system that would convert a user's private key into mTLS certificates.
After all, SSH keys are commonly RSA or Ed25519, both of which are supported algorithms for TLS.

The user would
* convert their SSH private key into PEM format
* generate a self-signed X.509 certificate with said private key

The server would
* Listen on HTTPS, accepting all certificates
* decode the certificate and extract the public key
* match the public key against the DN42 registry

Navigation
=> / Home
=> /posts/ Posts
=> /search/ Search