This behavior repeats m‚ÄčTLS validation checks between a requesting client and the edge network. If the checks fail, you can deny the request or apply custom error handling. To use this behavior, you need to add either the hostname or client‚ÄčCertificate criteria to the same rule.


Whether to require a specific mutual transport layer security (m‚ÄčTLS) certificate authority (CA) set in a request from a client to the edge network.


Specify the client certificate authority (CA) sets you want to support in client requests. Run the List CA Sets operation in the m‚ÄčTLS Edge Trust‚ÄčStore API to get the set‚ÄčId value and pass it in this option as a string. If a request includes a set not defined here, it will be denied. The preset list items you can select are contingent on the CA sets you've created using the m‚ÄčTLS Edge Truststore, and then associated with a certificate in the Certificate Provisioning System.

enable‚ÄčAuth‚ÄčSet is true

Whether the mutual transport layer security requests from a client should use the online certificate support protocol (OCSP). OCSP can determine the x.‚Äč509 certificate revocation status during the TLS handshake.


This denies a request from a client that doesn't match what you've set for the options in this behavior. When disabled, non-matching requests are allowed, but you can incorporate a custom handling operation, such as reviewing generated log entries to see the discrepancies, enable the Client-To-Edge authentication header, or issue a custom message.

enable‚ÄčAuth‚ÄčSet is true
OR¬†enable‚ÄčOcsp‚ÄčStatus is true