Implementing mTLS in the Bitwarden Apps

jside · March 20, 2025, 7:20pm

Hi!

Also giving this feature request a thumbs up.

This is working fine in Android now (as far as I can tell). I’m using the latest dev-version (3 finger tap multiple times to get debug menu and then check the mTLS feature).

Would be awesome if this could be implemented on IOS side as well.

I’ve seen these PR:s on Android:

[PM-17405] Add mutual TLS feature flag by SaintPatrck · Pull Request #4606 · bitwarden/android · GitHub
[PM-17405] Configure `mutual-tls` FlagKey as remotely configured by SaintPatrck · Pull Request #4701 · bitwarden/android · GitHub
[PM-16157] Support self-host servers using TLS with Client Authentication (mTLS) by rohm1 · Pull Request #4486 · bitwarden/android · GitHub

For me mTLS is a must for self-hosting services. Of course you can go the VPN-route but that makes it cumbersome to use since you sometimes need to activate VPN, also for my less tech-savvy members of the family they will never connect to a VPN for the sake of storing a password.

Please let us iOS-users also be able to use self-hosted Bitwarden with mTLS

Nail1684 · July 19, 2025, 9:34am

I think there is an open PR for that:

github.com/bitwarden/ios

[PM-23409] feat: Add client certificate authentication (mTLS) support for self-hosted environments

main ← jalenfran:mTLS-support-iOS

opened 01:17AM - 06 Jul 25 UTC

jalenfran

+986 -4

## 🎟️ Tracking - GitHub Discussion: [Add mTLS Support Discussion](https://git…hub.com/orgs/bitwarden/discussions/15491) - Feature Request: [Implementing mTLS in the Bitwarden apps](http://community.bitwarden.com/t/implementing-mtls-in-the-bitwarden-apps/63958) ## 📔 Objective This PR implements client certificate authentication (mTLS) support for iOS app when connecting to self-hosted Bitwarden environments that require client certificates. **Key Features:** - PKCS#12 (.p12/.pfx) certificate import with password support - Secure certificate storage independent of user login - mTLS HTTP client integration for server authentication - Certificate management UI integrated into self-hosted server configuration - Comprehensive error handling and user feedback **Technical Implementation:** - `ClientCertificateConfiguration` model for certificate data and metadata - `ClientCertificateService` for secure certificate management operations - `CertificateHTTPClient` with URLSession delegate for mTLS authentication - Global certificate storage using existing app settings infrastructure - SwiftUI interface for certificate import, display, and removal This enables users to authenticate with self-hosted Bitwarden servers that require client certificates for enhanced security. ## 📸 Screenshots <img width="431" alt="Screenshot 2025-07-05 at 9 00 37 PM" src="https://github.com/user-attachments/assets/1df79456-4ca7-4a4e-8255-276c78e0af6a" /> <img width="429" alt="Screenshot 2025-07-05 at 9 13 28 PM" src="https://github.com/user-attachments/assets/24c0f3ff-f1c6-4c81-afb3-694d35991f43" /> ## ⏰ Reminders before review - [x] Contributor guidelines followed - [x] All formatters and local linters executed and passed - [x] Written new unit and / or integration tests where applicable - [x] Protected functional changes with optionality (feature flags) - *N/A: Feature is opt-in via certificate import* - [x] Used internationalization (i18n) for all UI strings - [x] CI builds passed - [x] Communicated to DevOps any deployment requirements - *N/A: No deployment changes needed* - [x] Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team ## 🦮 Reviewer guidelines **Key Areas for Review:** - 🔐 Security implementation of certificate storage and mTLS authentication - 🎨 UI/UX integration with existing self-hosted configuration flow - 📝 Error handling for various certificate import scenarios - ⚡ Performance impact of certificate validation and HTTP client changes - 🧪 Test coverage for certificate management workflows **Files to Focus On:** - `ClientCertificateService.swift` - Core certificate management logic - `CertificateHTTPClient.swift` - mTLS HTTP client implementation - `SelfHostedView.swift` - UI integration and user experience - `StateService.swift` & `AppSettingsStore.swift` - Secure storage implementation - 👍 (`:+1:`) or similar for great changes - 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info - ❓ (`:question:`) for questions - 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion - 🎨 (`:art:`) for suggestions / improvements - ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or concerns needing attention - 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or indications of technical debt - ⛏ (`:pick:`) for minor or nitpick changes

Borondio · August 6, 2025, 1:56pm

Hi,

I just tested mTLS on Android, and it works without any issues. Finally, I can introduce Bitwarden (self-hosted) to my family, now that the VPN hassle is gone. I’m also no longer facing the typical questions like, “Why isn’t it working? My browser password manager just works out of the box!”

Is there any planned release date for mTLS support on iOS?

Also, in the Windows Desktop App, I couldn’t find any option to use certificates. Does this mean mTLS is not supported in the Windows App (not the browser extension, which works fine with browser certificate integration)?