clientCertificate

Property Manager name: Client certificate
Criteria version: The v2026-01-09 rule format supports the clientCertificate criteria v1.2.
Rule format status: Deprecated, outdated rule format
Access: Read/Write
Allowed in includes: Yes

Matches whether you have configured a client certificate to authenticate requests to edge servers.

Option	Type	Description	Requires
`isCertificatePresent`	boolean	Executes rule behaviors only if a client certificate authenticates requests.		{"displayType":"boolean","tag":"input","type":"checkbox"}
`isCertificateValid`	enum	Matches whether the certificate is `VALID` or `INVALID`. You can also `IGNORE` the certificate's validity.	`isCertificatePresent` is `true`	{"displayType":"enum","options":["VALID","INVALID","IGNORE"],"tag":"select"} {"if":{"attribute":"isCertificatePresent","op":"eq","value":true}}
	`VALID`	Match when the certificate is valid.
	`INVALID`	Match when the certificate is invalid.
	`IGNORE`	Ignores the certificate's is valid.
`enforceMtls`	boolean	Specifies custom request handling depending on the result of checks in the `enforceMtlsSettings` behavior. For example, logging requests when an invalid client certificate is present. Add the `enforceMtlsSettings` behavior to a parent rule, with its own unique match condition and the `enableDenyRequest` option disabled.		{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"op":"and","params":[{"op":"or","params":[{"attribute":"isCertificateValid","op":"eq","value":"VALID"},{"attribute":"isCertificateValid","op":"eq","value":"INVALID"}]},{"attribute":"modulesOnContract","op":"contains","scope":"global","value":"mTLS_client_to_edge"}]}}