I'm looking to serve HTTPS downloads which are authenticated in both directions using mTLS, the requests and responses being signed with certificates issued by a private CA. The purpose of this is securing OTA updates of an embedded device (I need to identify and authorize both ends before downloading a FW image and PKI + mTLS is a very workable solution). A human being with a browser will never interact with this.
Google Cloud Functions terminate TLS by serving a public Google-issued HTTPS certificate. I can't seem to figure out how to make GCF serve HTTPS using a custom certificate (or to authorize incoming HTTPS requests only if the client certificate is signed by my private CA). Is that even possible? If yes, can anyone point me down the right document or example?
Client certificates are not supported.
[Update 2023-06-23]
On June 16, 2023, Google announced preview support for mTLS. Read this announcement:
Introducing client authentication with Mutual TLS on Google Cloud Load Balancing
This part of the announcement affects services that use IAP for authorization (Cloud Run, Cloud Functions, etc):
mTLS enables Google security solutions such as Identity Aware Proxy to enforce client certificate-based access control for applications hosted on Google.