clientCertificate

Property Manager name: Client certificate
Criteria version: The v2025-04-29 rule format supports the clientCertificate criteria v1.2.
Rule format status: GA, stable
Access: Read/Write
Allowed in includes: Yes

Matches whether you have configured a client certificate to authenticate requests to edge servers.

Option	Type	Description	Requires
`isCertificatePresent`	boolean	Executes rule behaviors only if a client certificate authenticates requests.		{"displayType":"boolean","tag":"input","type":"checkbox"}
`isCertificateValid`	enum	Matches whether the certificate is `VALID` or `INVALID`. You can also `IGNORE` the certificate's validity.	`isCertificatePresent` is `true`	{"displayType":"enum","options":["VALID","INVALID","IGNORE"],"tag":"select"} {"if":{"attribute":"isCertificatePresent","op":"eq","value":true}}
	`VALID`	Match when the certificate is valid.
	`INVALID`	Match when the certificate is invalid.
	`IGNORE`	Ignores the certificate's is valid.
`enforceMtls`	boolean	Specifies custom handling of requests if any of the checks in the `enforceMtlsSettings` behavior fail. Enable this and use with behaviors such as `logCustom` so that they execute if the check fails. You need to add the `enforceMtlsSettings` behavior to a parent rule, with its own unique match condition and `enableDenyRequest` option disabled.		{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"op":"and","params":[{"op":"or","params":[{"attribute":"isCertificateValid","op":"eq","value":"VALID"},{"attribute":"isCertificateValid","op":"eq","value":"INVALID"}]},{"attribute":"modulesOnContract","op":"contains","scope":"global","value":"mTLS_client_to_edge"}]}}