client_​certificate_​auth

Version: v2025-01-13Includes use: Yes

Behavior name: Client Certificate Authentication

Sends a Client-To-Edge header to your origin server with details from the mutual TLS certificate sent from the requesting client to the edge network. This establishes transitive trust between the client and your origin server.

Default behavior

These samples reflect the behavior's default settings. You can use these as is in your configurations or make adjustments based on the behavior's available options.

data "akamai_property_rules_builder" "client_certificate_auth" {
  rules_v2025_02_18 {
    name     = "Client Certificate Authentication"
    comments = "Establishes transitive trust between the client and your origin server."
    behavior {
      client_certificate_auth {
        enable = false
      }
    }
  }
}
"behaviors": [
  {
  "name": "clientCertificateAuth",
    "options": {
      "enable": false
    }
  }
]

Options

Option Description
enable
Constructs the Client-To-Edge authentication header using information from the client to edge mTLS handshake and forwards it to your origin. You can configure your origin to acknowledge the header to enable transitive trust. Some form of the client x.509 certificate needs to be included in the header. You can include the full certificate or specific attributes.
enable_complete_client_certificate
Whether to include the complete client certificate in the header, in its binary (DER) format. DER-formatted certificates leave out the BEGIN CERTIFICATE/END CERTIFICATE statements and most often use the .der extension. Alternatively, you can specify individual client_certificate_attributes you want included in the request.
client_certificate_attributes
Specify client certificate attributes to include in the Client-To-Edge authentication header that's sent to your origin server. Available attributes:
  • SUBJECT. The distinguished name of the client certificate's public key, in the Client-To-Edge authentication header.
  • COMMON_NAME. The common name (CN) that's been set in the client certificate, in the Client-To-Edge authentication header.
  • SHA256_FINGERPRINT. An SHA-256 encrypted fingerprint of the client certificate, in the Client-To-Edge authentication header.
  • ISSUER. The distinguished name of the entity that issued the certificate, in the Client-To-Edge authentication header.
enable_client_certificate_validation_status
Whether to include the current validation status of the client certificate in the Client-To-Edge authentication header. This verifies the validation status of the certificate, regardless of the certificate attributes you're including in the header.