enforceMtlsSettings

Property Manager name: Enforce mTLS settings
Behavior version: The v2026-02-16 rule format supports the enforceMtlsSettings behavior v1.1.
Rule format status: GA, stable
Access: Read/Write
Allowed in includes: Yes

This behavior repeats mTLS validation checks between a requesting client and the edge network. If the checks fail, you can deny the request or apply custom error handling. To use this behavior, you need to add either the hostname or clientCertificate criteria to the same rule.

Option	Type	Description	Requires
`enableAuthSet`	boolean	Enables the Enforce mTLS Settings checks for this request.		{"displayType":"boolean","tag":"input","type":"checkbox"}
`certificateAuthoritySet`	string	Specifies at least one of the CA sets defined in the mTLS Edge Truststore. If a client certificate isn't present or it doesn't match any of the specified CA sets, an error occurs.	`enableAuthSet` is `true`	{"displayType":"string","tag":"input","type":"text"} {"if":{"attribute":"enableAuthSet","op":"eq","value":true}}
`enableOcspStatus`	boolean	Whether to validate if the client certificate successfully passed OCSP revocation checks.	`enableAuthSet` is `true`	{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enableAuthSet","op":"eq","value":true}}
`enableDenyRequest`	boolean	Specifies the action to take if `enableOcspStatus` or `enableAuthSet` fails. Set this to `true` to deny the request and send a generic HTTP 403 Forbidden response to the client. Set it to `false` to allow the property to process the request.	`enableAuthSet` is `true`	{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enableAuthSet","op":"eq","value":true}}
`enableCompleteClientCertificate`	boolean	Whether to forward a complete client certificate to the origin in the header `Akamai-CC-DER`. The header contains a Base64-encoded copy of the certificate in a binary (DER) format enclosed in leading and trailing colons.	`enableAuthSet` is `true`	{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enableAuthSet","op":"eq","value":true}}
`clientCertificateAttributes`	string array	Specifies which client certificate attributes to forward to your origin in request headers.	`enableAuthSet` is `true`	{"displayType":"string array","options":["SUBJECT","COMMON_NAME","SHA256_FINGERPRINT","ISSUER"],"tag":"select"} {"if":{"attribute":"enableAuthSet","op":"eq","value":true}}
	`SUBJECT`	Client certificate subject. Akamai sends it in a Base64-encoded format enclosed in leading and trailing colons in the `Akamai-CC-Subject` header.
	`COMMON_NAME`	Client certificate common name (CN). Akamai sends it in a Base64-encoded format enclosed in leading and trailing colons in the `Akamai-CC-CN` header. If the CN doesn't exist in the client certificate, only the leading and trailing colons are included in the header value.
	`SHA256_FINGERPRINT`	Client certificate SHA-256 fingerprint. Akamai sends it in the `Akamai-CC-Fingerprint-Sha256` header.
	`ISSUER`	Client certificate issuer. Akamai sends it in a Base64-encoded format enclosed in leading and trailing colons in the `Akamai-CC-Issuer` header.