Feature request: mTLS support

Problem/Justification
To secure network communication it would be very helpfull if mTLS support is added to TrueNAS SCALE. Custom TLS certificates for HTTPS traffic is already implemented, allowing clients to verify the authenticity of the TrueNAS server. However, it is currently not supported for TrueNAS to verify client certificates in the TLS stage (mutual TLS). This prevents certificate based access control to the TrueNAS UI.

As all the TLS and CA infrastructure is there, it would be a small step to support client certificate verification. This would be ideal in enterprise environments as well because it can integrate in already existing PKI. It would only require two settings: a trust store (could reuse existing functionality) and a configuration option to enable mTLS. Optionally, specific certificate attributes can be required (e.g. only accept certificates that have the key usage Data Access)

Impact
I envision it to be a optional configuration (similar to the current TLS/custom CA configuration) that would only be enabled when needed. In this sense I only see security benefits for users that require more assurances regarding access control without any impact for users that choose not to enable the functionality.

User Story
TrueNAS is running in a network behind a reverse proxy. Only the proxy should be allowed to access the TrueNAS UI. Other services reside in the same network and can, without mTLS, access the UI. With mTLS enabled, the administrator of TrueNAS can enforce that the client should produce a valid X509 certificate that is signed by a trusted CA, thus hooking into the already existing PKI of the organisation, providing a strong, cryptographically backed layer of security.

Agreed that the CA support in TrueNAS is bare minimum.

The mechanism to do is already exists in OpenSSL. It’s possible to tie the OpenSSL library to use a local or remote HSM using the PKCS #11 API. With a pkcs11 Provider Library installed alongside OpenSSL, it’s possible to interrogate a locale, or Remote HSM (using a secure connection) . Ideally the if connecting to a Remote HSM, the connection key pair would be stored in TPM 2.0 or on SmartCard and not in local filesystems.

There are free Network HSM Simulators out there to help you prototype, design and implement such a solution on the TrueNAS side. Ultimately, the TrueNAS would have an alternate UI panel to permit connection to the remote HSM.

Some nice Hardware HSMs that won’t kill the budget include NitroKey HSM and YubiHSM.