Skip to content

Cloud Encryption in Transit — TLS, mTLS & Certificate Management

DodaTech Updated 2026-06-24 4 min read

In this tutorial, you'll learn about Cloud Encryption in Transit. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloud encryption in transit protects data moving between clients, services, and cloud regions using TLS and mTLS, with AWS ACM, Azure Key Vault, and GCP CAS managing the certificate lifecycle.

What You Will Learn

How to configure TLS termination, implement mTLS for service-to-service authentication, and automate certificate renewal across all three major clouds.

Why It Matters

Data in transit without encryption is plaintext on the wire. Attackers on the same network segment, rogue cloud employees, or compromised intermediary services can read, modify, or replay traffic.

Real-World Use

Doda Browser enforces TLS 1.3 for all cloud API calls and uses mTLS for internal service communication. Every certificate is managed through ACM with automated renewal 30 days before expiry.

TLS Termination Architecture

flowchart LR
  Client[User Browser] -->|TLS 1.3| LB[Load Balancer\nTLS Termination]
  LB -->|HTTP| App[Application Server]
  App -->|mTLS| API[Internal API]
  API -->|mTLS| DB[(Database Proxy)]
  
  Cert[Certificate Authority] -->|Issues Certs| LB
  Cert -->|Issues Certs| App
  Cert -->|Issues Certs| API
  
  style Cert fill:#f90,color:#fff

AWS Certificate Manager

ACM provisions and rotates SSL/TLS certificates for AWS services including CloudFront, ALB, and API Gateway. Certificates are free and renew automatically.

# Request a public certificate from ACM
aws acm request-certificate \
  --domain-name api.dodatech.com \
  --validation-method DNS \
  --subject-alternative-names "*.api.dodatech.com"
# Output:
# {
#   "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/aaaa-bbbb-cccc-dddd"
# }

# List certificates nearing expiry
aws acm list-certificates --query 'CertificateSummaryList[?Status==`EXPIRED`||Status==`FAILED`]'
# Output:
# []

Mutual TLS (mTLS)

mTLS authenticates both sides of a connection. The client presents a certificate, and the server validates it before responding.

# AWS: Configure mTLS on API Gateway
aws apigatewayv2 update-domain-name \
  --domain-name api.dodatech.com \
  --mutual-tls-authentication TruststoreUri=s3://cert-bucket/truststore.pem,TruststoreVersion=1

# Verify configuration
aws apigatewayv2 get-domain-name --domain-name api.dodatech.com
# Output:
# {
#   "DomainName": "api.dodatech.com",
#   "MutualTlsAuthentication": {
#     "TruststoreUri": "s3://cert-bucket/truststore.pem",
#     "TruststoreVersion": "1"
#   }
# }

Azure Key Vault Certificates

Azure Key Vault can issue, store, and manage certificates with built-in renewal policies.

# Create a self-signed certificate in Key Vault
az keyvault certificate create \
  --vault-name prod-keyvault-01 \
  --name api-cert \
  --policy "$(cat cert-policy.json)"

# cert-policy.json example structure:
# {
#   "keyProperties": {"keyType": "RSA", "keySize": 2048},
#   "secretProperties": {"contentType": "application/x-pkcs12"},
#   "x509CertificateProperties": {
#     "subject": "CN=api.dodatech.com",
#     "validityInMonths": 12
#   },
#   "issuerParameters": {"name": "Self"}
# }

# List certificates and their expiry dates
az keyvault certificate list --vault-name prod-keyvault-01 --query "[].{Name:name, Expires:attributes.expires}" --output table
# Output:
# Name      Expires
# api-cert  2027-06-24T00:00:00+00:00

GCP Certificate Authority Service

GCP CAS is a managed private CA for issuing and revoking TLS certificates within your organization.

# Create a Certificate Authority pool
gcloud privateca pools create prod-ca-pool --location us-central1 --tier enterprise

# Create and enable a CA
gcloud privateca roots create prod-root-ca \
  --pool prod-ca-pool \
  --location us-central1 \
  --subject "CN=Root CA, O=DodaTech" \
  --key-algorithm ec-p256-sha256

# Issue a TLS certificate
gcloud privateca certificates create \
  --pool prod-ca-pool \
  --location us-central1 \
  --csr my-csr.pem \
  --subject-alt-dns "api.dodatech.com"

TLS Version Enforcement

Always enforce TLS 1.2 or higher. TLS 1.0 and 1.1 are deprecated due to known vulnerabilities.

# AWS: Enforce minimum TLS version on CloudFront
aws cloudfront update-distribution \
  --id E123456 \
  --distribution-config '{
    "ViewerCertificate": {
      "MinimumProtocolVersion": "TLSv1.2_2021",
      "SSLSupportMethod": "sni-only"
    }
  }'

Common Mistakes

  1. Using self-signed certificates in production: Self-signed certs bypass public trust but require manual distribution. Use ACM or a managed CA instead.
  2. Not renewing certificates before expiry: Expired certificates cause immediate connection failures. Automate renewal with 30-day lead time.
  3. Disabling certificate validation in development code: Code that skips validation in dev often ships to production with the same skip. Always validate.
  4. Using TLS 1.0 or 1.1: Both are deprecated. Enforce TLS 1.2 minimum across all services and load balancers.
  5. Ignoring mTLS for internal services: Internal traffic without encryption is a common blind spot. Encrypt every hop, not just the edge.

Practice Questions

  1. What is the difference between TLS termination and TLS passthrough?
  2. How does mTLS differ from standard TLS?
  3. Which AWS service automatically renews SSL certificates?
  4. Why should you enforce a minimum TLS version?
  5. How does Azure Key Vault handle certificate lifecycle management?

Challenge

Implement end-to-end TLS for a Microservices Architecture. The edge load balancer terminates TLS 1.3 for external clients. All internal services communicate over mTLS using certificates issued by a private CA. Write the configuration for AWS ACM, GCP CAS, and Azure Key Vault.

FAQ

What is encryption in transit?

Encryption that protects data as it moves across networks between clients, servers, and cloud services.

What is the difference between TLS and mTLS?

TLS authenticates the server to the client. mTLS authenticates both sides by requiring a client certificate.

Does AWS Certificate Manager support private certificates?

Yes. ACM Private CA issues and manages private certificates for internal resources.

What TLS version should I use?

TLS 1.2 or TLS 1.3. TLS 1.0 and 1.1 are deprecated and insecure.

Can Azure Key Vault issue certificates automatically?

Yes. Key Vault can issue certificates with automatic renewal policies using built-in or custom certificate authorities.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro