client_certificate_auth

Property Manager name: Client Certificate Authentication
Behavior version: The v2025-01-13 rule format supports the client_certificate_auth behavior v1.0.
Rule format status: GA, stable
Access: Read/Write
Allowed in includes: Yes

Sends a Client-To-Edge header to your origin server with details from the mutual TLS certificate sent from the requesting client to the edge network. This establishes transitive trust between the client and your origin server.

Option	Type	Description
`enable`	boolean	Constructs the `Client-To-Edge` authentication header using information from the client to edge mTLS handshake and forwards it to your origin. You can configure your origin to acknowledge the header to enable transitive trust. Some form of the client x.509 certificate needs to be included in the header. You can include the full certificate or specific attributes.	{"displayType":"boolean","tag":"input","type":"checkbox"}
`enable_complete_client_certificate`	boolean	Whether to include the complete client certificate in the header, in its binary (DER) format. DER-formatted certificates leave out the `BEGIN CERTIFICATE/END CERTIFICATE` statements and most often use the `.der` extension. Alternatively, you can specify individual `client_certificate_attributes` you want included in the request.	{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enable","op":"eq","value":true}}
`client_certificate_attributes`	string array	Specify client certificate attributes to include in the `Client-To-Edge` authentication header that's sent to your origin server.	{"displayType":"string array","options":["SUBJECT","COMMON_NAME","SHA256_FINGERPRINT","ISSUER"],"tag":"select"} {"if":{"attribute":"enable","op":"eq","value":true}}
	`SUBJECT`	The distinguished name of the client certificate's public key, in the `Client-To-Edge` authentication header.
	`COMMON_NAME`	The common name (CN) that's been set in the client certificate, in the `Client-To-Edge` authentication header.
	`SHA256_FINGERPRINT`	An SHA-256 encrypted fingerprint of the client certificate, in the `Client-To-Edge` authentication header.
	`ISSUER`	The distinguished name of the entity that issued the certificate, in the `Client-To-Edge` authentication header.
`enable_client_certificate_validation_status`	boolean	Whether to include the current validation status of the client certificate in the `Client-To-Edge` authentication header. This verifies the validation status of the certificate, regardless of the certificate attributes you're including in the header.	{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enable","op":"eq","value":true}}

Updated about 1 month ago