Documentation Index Fetch the complete documentation index at: https://mintlify.com/nats-io/nats-server/llms.txt
Use this file to discover all available pages before exploring further.
Overview TLS (Transport Layer Security) options enable encrypted connections between NATS clients and servers, ensuring secure communication and optional client authentication through certificates.
Command Line Flags Enable TLS without client certificate verification. nats-server --tls --tlscert ./certs/server-cert.pem --tlskey ./certs/server-key.pem
Path to server certificate file (PEM format). nats-server --tlscert ./certs/server-cert.pem
Path to server private key file (PEM format). nats-server --tlskey ./certs/server-key.pem
Enable TLS and verify client certificates. nats-server --tlsverify --tlscert ./certs/server-cert.pem --tlskey ./certs/server-key.pem --tlscacert ./certs/ca.pem
Path to certificate authority (CA) file for verifying client certificates. nats-server --tlscacert ./certs/ca.pem
Configuration File Options Basic TLS Configuration Path to server certificate file. tls { cert_file: "./certs/server-cert.pem" }
Path to server private key file. tls { key_file: "./certs/server-key.pem" }
Path to certificate authority file for client verification. tls { ca_file: "./certs/ca.pem" }
Client Verification Verify client certificates. Requires ca_file. tls { cert_file: "./certs/server-cert.pem" key_file: "./certs/server-key.pem" ca_file: "./certs/ca.pem" verify: true }
Verify client certificates and map certificate fields to user authentication. tls { cert_file: "./certs/server-cert.pem" key_file: "./certs/server-key.pem" ca_file: "./certs/ca.pem" verify_and_map: true }
Skip certificate verification (for testing only). Never use in production! This disables security.
Cipher and Protocol Configuration List of allowed cipher suites. Restricts which encryption algorithms can be used. tls { cipher_suites: [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" ] }
Elliptic curves for ECDHE cipher suites. tls { curve_preferences: [ "CurveP256", "CurveP384", "CurveP521" ] }
Minimum TLS protocol version. Options: 1.0, 1.1, 1.2, 1.3 tls { min_version: "1.3" }
TLS handshake timeout in seconds. TLS handshake rate limit in bytes per second. tls { rate_limit: 1048576 # 1 MB/s }
Perform TLS handshake before sending INFO protocol. tls { handshake_first: true }
tls.handshake_first_fallback
Fallback timeout when handshake_first is enabled. tls { handshake_first: true handshake_first_fallback: "2s" }
Certificate Pinning SHA256 fingerprints of pinned certificates. tls { pinned_certs: [ "<sha256-fingerprint-1>", "<sha256-fingerprint-2>" ] }
Configuration Examples Basic TLS Server port: 4222 server_name: "nats-tls" tls { cert_file: "./certs/server-cert.pem" key_file: "./certs/server-key.pem" }
TLS with Client Verification port: 4222 server_name: "nats-tls-verify" tls { cert_file: "./certs/server-cert.pem" key_file: "./certs/server-key.pem" ca_file: "./certs/ca.pem" verify: true }
Mutual TLS (mTLS) with Certificate Mapping port: 4222 server_name: "nats-mtls" tls { cert_file: "./certs/server-cert.pem" key_file: "./certs/server-key.pem" ca_file: "./certs/ca.pem" verify_and_map: true } accounts { APP: { users: [ # Certificate CN maps to user {user: "client1"} {user: "client2"} ] } }
High Security Configuration port: 4222 server_name: "nats-secure" tls { cert_file: "./certs/server-cert.pem" key_file: "./certs/server-key.pem" ca_file: "./certs/ca.pem" verify: true # Require TLS 1.3 min_version: "1.3" # Strong cipher suites only cipher_suites: [ "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256" ] # Modern curves curve_preferences: [ "X25519", "CurveP256" ] # Extended timeout for slower clients timeout: 10.0 }
Cluster with TLS port: 4222 server_name: "nats-cluster-tls" # Client TLS tls { cert_file: "./certs/server-cert.pem" key_file: "./certs/server-key.pem" ca_file: "./certs/ca.pem" verify: true } # Cluster with TLS cluster { name: "secure-cluster" listen: "0.0.0.0:6222" tls { cert_file: "./certs/route-cert.pem" key_file: "./certs/route-key.pem" ca_file: "./certs/ca.pem" verify: true } routes: [ "nats://nats-2:6222", "nats://nats-3:6222" ] }
Multiple Certificates port: 4222 server_name: "nats-multi-cert" tls { # Multiple certificate pairs for different domains certificates: [ { cert_file: "./certs/example.com.pem" key_file: "./certs/example.com-key.pem" }, { cert_file: "./certs/api.example.com.pem" key_file: "./certs/api.example.com-key.pem" } ] ca_file: "./certs/ca.pem" verify: true }
Generating Test Certificates For development and testing:
# Generate CA openssl genrsa -out ca-key.pem 4096 openssl req -new -x509 -days 365 -key ca-key.pem -out ca.pem -subj "/CN=NATS CA" # Generate server certificate openssl genrsa -out server-key.pem 4096 openssl req -new -key server-key.pem -out server.csr -subj "/CN=localhost" openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem # Generate client certificate openssl genrsa -out client-key.pem 4096 openssl req -new -key client-key.pem -out client.csr -subj "/CN=client" openssl x509 -req -days 365 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem
Available Cipher Suites Modern recommended cipher suites:
TLS_AES_128_GCM_SHA256 (TLS 1.3)TLS_AES_256_GCM_SHA384 (TLS 1.3)TLS_CHACHA20_POLY1305_SHA256 (TLS 1.3)TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
Monitoring TLS Connections Check TLS connection status via monitoring:
curl http://localhost:8222/connz
Look for tls_version and tls_cipher_suite fields in connection details.
Best Practices
Protocol Version : Use TLS 1.2 or higher (preferably 1.3)Strong Ciphers : Configure modern cipher suites, avoid weak algorithmsCertificate Management : Use proper PKI and rotate certificates regularlyClient Verification : Enable verify or verify_and_map in productionCertificate Expiry : Monitor certificate expiration datesPrivate Keys : Protect private keys with appropriate file permissions (0600)CA Trust : Use properly signed certificates from trusted CAs in productionSeparate Certificates : Use different certificates for client and cluster connectionsTimeout Tuning : Adjust timeout based on network conditionsTesting : Always test TLS configuration before deploying to production
Certificate Mapping When using verify_and_map: true, NATS maps certificate fields to users:
tls { verify_and_map: true ca_file: "./certs/ca.pem" } accounts { APP: { users: [ # User derived from certificate CN {user: "alice", permissions: {...}} {user: "bob", permissions: {...}} ] } }
Client certificate with CN=alice will be authenticated as user alice.
Troubleshooting Certificate Errors # Verify certificate validity openssl x509 -in server-cert.pem -text -noout # Check certificate chain openssl verify -CAfile ca.pem server-cert.pem # Test TLS connection openssl s_client -connect localhost:4222 -CAfile ca.pem
Common Issues
Certificate expired : Check expiration with openssl x509 -enddateHostname mismatch : Ensure certificate CN/SAN matches server hostnameCA not trusted : Verify ca_file contains the correct CA certificatePermission denied : Check file permissions on certificate and key filesHandshake timeout : Increase timeout value
Server Options Core server configuration
Cluster Options Secure cluster with TLS
JetStream Options Secure JetStream with TLS