The connection at a glance
- One channel per appliance, between the appliance’s controller and your control plane.
- Outbound-only: the appliance always dials out. It never opens inbound ports.
- Mutually authenticated: both ends present and verify certificates before any data flows.
- Long-lived: established once during appliance setup and re-handshaked as needed.
| Direction | Carries |
|---|---|
| Control plane → appliance | Deployment instructions, operations commands (remote shell, one-off scripts, restarts) |
| Appliance → control plane | Responses to those commands, deployment and health status, and connection liveness |
Outbound-only by design
The appliance controller initiates the connection to your control plane over outbound HTTPS. It does not open inbound network ports, assign public IPs, or create ingress rules for itself. Your control plane never reaches into the customer’s network unsolicited; it can only send instructions back down a connection the appliance already opened. This matters for two reasons:- It’s easy for customers to allow. Most networks already permit outbound HTTPS, so customers don’t have to open ingress ports - a request that is often logistically difficult and a security concern in regulated environments.
- It shrinks the attack surface. There is no listening socket on the appliance for an attacker to reach, and no inbound path from your control plane into customer infrastructure.
Connected and Disconnected appliances differ.
Mutual TLS: both sides prove who they are
Ordinary (one-way) TLS only proves the server’s identity to the client. mTLS adds the reverse: the client must also present a certificate the server verifies. On the appliance-to-control-plane channel, both ends authenticate each other on every handshake:- Your control plane verifies that the connecting appliance is one it actually provisioned.
- The appliance verifies that it is talking to your control plane, not an impostor endpoint.
The two identities
| Identity | Belongs to | Verified by |
|---|---|---|
| Control plane certificate | Your control plane, running in your own AWS account | The appliance, which is provisioned at setup to trust only your control plane |
| Appliance leaf certificate | The individual appliance’s controller (one per appliance) | Your control plane, which validates it against the CA chain it issued and against the leaf fingerprint it recorded for that appliance |
The handshake
Appliance dials out
The appliance controller opens an outbound connection to your control plane’s endpoint.
Appliance verifies the control plane
Your control plane presents its certificate. The appliance validates that it chains to your control plane’s CA - the root it pinned when it enrolled (see Bootstrapping trust with cloud identity). If it doesn’t validate, the appliance refuses to proceed - so a spoofed or man-in-the-middle endpoint cannot impersonate your control plane.
Control plane verifies the appliance
The appliance presents its leaf certificate. Your control plane validates that the certificate chains to its CA and matches the leaf fingerprint it recorded for that appliance at enrollment. If the certificate doesn’t chain, doesn’t match the recorded fingerprint (for example, after the appliance was revoked), or has expired, the control plane drops the handshake.
Bootstrapping trust with cloud identity
The handshake above assumes each side already holds a certificate. But a brand-new appliance has none - and handing it a pre-shared secret to start with would just move the problem. Tensor9 closes this gap by bootstrapping the appliance’s first certificate off the platform’s own identity system - AWS, GCP, or Kubernetes - so there is no long-lived shared secret to distribute or leak. Enrollment follows the same four steps on every platform; only the proof of identity differs:Appliance opens a bootstrap connection
The appliance opens a provisional connection to your control plane. Your control plane accepts it to carry the enrollment exchange, but treats it as unauthenticated - the appliance hasn’t proven its identity yet.
Appliance attests its platform identity
Over that connection the appliance sends an enrollment request containing a certificate signing request (CSR) for the certificate it wants, plus a platform-signed proof of identity (see the table below). The proof is bound to this enrollment, so a captured proof cannot be replayed on a different connection.
Control plane verifies the identity with the platform
Your control plane validates the proof against the platform’s own authority - AWS STS, Google’s token-signing keys, or the cluster’s OIDC keys - and confirms the identity it resolves to matches the one recorded for this appliance at provisioning time, set by the customer’s own infrastructure.
| Platform | What the appliance presents | What your control plane checks it against |
|---|---|---|
| AWS | A presigned STS GetCallerIdentity request, signed with the IAM role the appliance runs as | Forwards it to AWS STS, which returns the caller’s role ARN; matches that against the role recorded for the appliance |
| GCP | A Google-signed instance-identity token (JWT) fetched from the instance metadata server | Verifies the signature against Google’s public keys; matches the project and service account against those recorded for the appliance |
| Kubernetes | A projected ServiceAccount token (JWT) mounted into the appliance’s pod | Verifies the signature against the cluster’s OIDC keys; matches the namespace and service account against those recorded for the appliance |
Per-appliance identity
Each appliance has its own leaf certificate, not a shared secret reused across the fleet. When your control plane issues that certificate, it records the leaf’s fingerprint against that appliance. On every handshake it checks both that the presented certificate chains to its CA and that the fingerprint matches the one on record - so an appliance can only ever authenticate as itself, and that recorded fingerprint is the lever for revoking it. The practical consequences:- No shared bearer secret. There is no API key or token that, if leaked, authenticates as any appliance. An appliance’s credential only authenticates that appliance.
- Blast radius is contained. Compromising one appliance’s certificate does not let an attacker present as a different appliance.
- No reaching into customer infrastructure. Cutting an appliance off is decided on your side - you don’t need access to the customer’s environment, which is outbound-only and may be unreachable on demand. See Cutting off an appliance.
Certificate lifecycle
Every certificate on this channel is issued from a two-tier certificate authority that your control plane operates inside your own AWS account - the same dedicated account your control plane runs in. The CA signing keys are held in KMS in that account: the private keys never leave KMS, and issuance happens through KMS signing operations. There is no exportable CA key to leak, and the CA stays under your control - Tensor9 never holds it on your behalf.| Certificate | Validity | Role |
|---|---|---|
| Root CA | 10 years | Top of the trust chain. Signs the intermediate CA. Signing key held in KMS. |
| Intermediate CA | 2 years | Signs leaf certificates. Signing key held in KMS. |
| Leaf certificate | 1 month | What each end presents on the handshake - both your control plane and the appliance. Rotated monthly. |
Cutting off an appliance
When your control plane issues an appliance its leaf certificate, it records that leaf’s fingerprint against the appliance. Every handshake checks the presented certificate’s fingerprint against the recorded one, so revoking an appliance is immediate: remove the recorded fingerprint and the cached certificate fails its very next handshake. The appliance cannot reconnect without re-enrolling, which requires a fresh cloud-identity attestation against the role recorded for it. This doesn’t rely on a certificate revocation list - revocation is a single change your control plane makes, enforced on the next handshake.Relationship to operator authentication
Two kinds of mTLS clients terminate at your control plane, and they use the same underlying trust model:| Appliance identity | Operator identity | |
|---|---|---|
| Who | An appliance’s controller (machine) | A person on your vendor team (human) |
| First enrolled by | A cloud-identity attestation (AWS STS) against the role recorded for the appliance | Redeeming a one-time enrollment bundle |
| Credential | A CA-issued leaf certificate, rotated ~monthly | A CA-issued leaf certificate, valid ~1 year |
| Cut off by | Remove its pinned leaf fingerprint; the cached cert fails its next handshake | The same operation, exposed as iam user revoke (which also cancels any unredeemed invite) |
| Covered in | This page | IAM Commands |
What the channel does and doesn’t expose
The mTLS channel secures how the two ends talk; the permissions model and secrets handling govern what the connection is allowed to do. Independent of mTLS:- Application and business data stay in the appliance. Only control traffic - deployment instructions, operations commands, and status responses - crosses the channel. Your customer’s business data never does.
- Secret values never leave the customer’s environment. The controller detects secrets created in the customer’s own secret manager; their values are not transmitted to your control plane. See Secrets.
- Every operation is authenticated and audited. Commands sent over the channel run through your control plane’s permissions model and are logged.
Related topics
- Your Control Plane: What the control plane does
- Customer Appliances: The appliance and its controller
- Permissions Model: What the connection is allowed to do
- IAM Commands: Operator authentication, also built on mTLS