clientCertificate

Property Manager name: Client certificate
Criteria version: The v2026-06-09 rule format supports the clientCertificate criteria v1.4.
Rule format status: GA, stable
Access: Read/Write
Allowed in includes: Yes

Matches whether you have configured a client certificate to authenticate requests to edge servers.

Option	Type	Description	Requires
`enforceMtls`	enum	Specifies custom request handling depending on the result of checks in the `enforceMtlsSettings` behavior. For example, logging requests when an invalid client certificate is present. Add the `enforceMtlsSettings` behavior to a parent rule, with its own unique match condition and the `enableDenyRequest` option disabled.		{"displayType":"enum","options":["FAIL","PASS","IGNORE"],"tag":"select"}
	`FAIL`	Perform the processing when a valid client certificate is not present.
	`PASS`	Perform the processing when a valid client certificate is present.
	`IGNORE`	Ignore the checks performed in the `enforceMtlsSettings` behavior. Perform the processing based on general client certificate attributes specified in the `certificateState` field.
`certificateState`	enum	Specifies the status of the certificate.	`enforceMtls` is `IGNORE`	{"displayType":"enum","options":["MISSING","PRESENT_VALID","PRESENT_INVALID","PRESENT"],"tag":"select"} {"if":{"attribute":"enforceMtls","op":"eq","value":"IGNORE"}}
	`MISSING`	Perform the processing when a client certificate is not present.
	`PRESENT_VALID`	Perform the processing when a valid client certificate is present.
	`PRESENT_INVALID`	Perform the processing when an invalid client certificate is present.
	`PRESENT`	Perform the processing when a client certificate is present, whether or not it is valid.