Identity-preserving mTLS

Carry each client's real identity to an mTLS upstream — without holding their keys.

client with its own identity → TLS Lane → mTLS upstream (CA-based trust)

When you need it: Many distinct clients, each with its own certificate, reaching an mTLS upstream that must authorize on each client's real identity — and you don't hold their private keys.
How it works: TLS Lane propagates the upstream's certificate request to the client, verifies its chain against your client CA and its proof-of-possession at the edge, then mints a fresh certificate under the TLS Lane CA preserving the original subject and SANs. The upstream authorizes on the original identity.
Good to know: Trust shifts: proof-of-possession is checked at the edge, then asserted forward — the agent joins the client-auth trust boundary. Works only with CA-based upstream trust; breaks if the upstream pins specific client certs.
TLS version: TLS 1.3 only

Enable sudo tlslane splice --mint-client-cert --client-ca <pem>