Client Certificate Authentication


Currently, this feature is only available to select customers.

If you're using mutual authentication (mTLS), use this to send a header to your origin server that contains details from the mTLS certificate that was sent from the requesting client to the edge network.

How it works

With mTLS, both a requesting client and the ​Akamai​ edge server present a TLS certificate to the other, with each side validating the certificate during the "TLS handshake." Once both certificates are validated, the connection is allowed.

After the TLS handshake is approved, you can have this behavior pull various information from the client's successful certificate and forward it on to your origin server as header values. You can configure your origin server to review and trust the headers, to enable transitive trust.


This works with Enforce mTLS settings

This behavior is designed to use the Client Certificate match, serving in a child rule to a parent rule that includes the Enforce mTLS settings behavior. The Enforce mTLS behavior is what's used to check the certificates and validate the certificates during the TLS handshake.

For an example of its use, see the Enforce mTLS settings behavior.

Features and options

FieldWhat it does


With this enabled, an edge server builds the Client-to-Edge-HTTP-Auth header using information from the client to edge server mTLS handshake and sends it to your origin server.

Complete client certificate

When ​Akamai​ builds the Client-to-Edge-HTTP-Auth header, it needs to include some form of the client's x.509 certificate. Enable this to include the complete client certificate, in its binary (DER) format. (These files typically use the ".der" extension.) Disable it to select specific client-certificate details, using the Client certificate attributes option.

Client certificate attributes

This is revealed if Complete client certificate is set to "On." Use these options to select specific client certificate attributes in the Client-toEdge-HTTP-Auth header, instead of including the entire certificate.

  • Client certificate subject. The distinguished name of the client certificate's public key.

  • Client certificate common name (CN). The common name (CN) that's been set in the client certificate.

  • Client certificate SHA-256 fingerprint. An SHA-256 encrypted fingerprint of the client certificate.

  • Client certificate issuer. The distinguished name of the entity that issued the certificate.

Certificate validation status

With this enabled, the edge server includes the current validation status of the client certificate in the Client-to-Edge-HTTP-Auth header. Use this as an added measure of security: have your origin server check this validity before it establishes trust with the requesting client.