Configure mutual transport layer security (mTLS) for API connectors in Sigma

You can configure mutual transport layer security (mTLS) for API connectors in Sigma. By adding client and server certificates to Sigma, you can enhance data security with mutual authentication when making requests to external services. If an endpoint or platform requires mutual authentication to make requests, you can configure a certificate in Sigma to meet that requirement.

System and user requirements

To add a client certificate to Sigma:

• You must be assigned an account type with the Manage API connectors permission enabled.
• You must be able to provide a paired client certificate and client key for the platform that requires mutual authentication. To generate a certificate and key, refer to the documentation for the platform you want to authenticate with.

Add a client certificate to Sigma

Add a new certificate to Sigma for use with API connectors.

1. Go to Administration > API connectors:

   1. From the Sigma header, select your user avatar to open the user menu.
   2. Select Administration to open the Administration portal.
   3. From the side panel, select API connectors.

2. Select the Certificates tab.

3. Select Create certificate.

4. On the New certificate screen, configure the following fields in the Certificate details section:

   Field	Description
   Name	The name of the client certificate as it appears when selected for a connector.
   Description	(Optional) A description that helps users identify the client certificate when creating an API connector.
   Authorized domains	A set of authorized domains used to restrict access to the client certificate. The client certificate can only be used for endpoints that match the authorized domains. Use * as a wildcard - for example *.example.com.

5. In the Certificate and key section, add or configure the following:

   Field	Description
   Client certificate	The public certificate, encoded in privacy-enhanced mail (PEM) format. Used to identify the client from Sigma when making a request to the server. You can either select Upload to add a .pem, .crt, or .cer file, or enter the certificate in the provided text area.
   Client key	The private key paired with the client certificate. Used by Sigma to prove ownership of the client certificate when making a request to the server. You can either select Upload to upload a .pem or .key file or enter the key in the provided text area.
   Passphrase	(Optional) The passphrase used to decrypt an encrypted key. If you use an encrypted key format, such as PKCS #8 encrypted, enter the associated passphrase. Leave blank if the key is not encrypted.
   CA certificate	(Optional) The certificate used to verify the server's identity. You can either select Upload to add a .pem, .crt, or .cer file, or enter the certificate in the provided text area.

6. Select Save.

The certificate is available when configuring API connectors in Sigma.