client_certificate_auth

Suggest Edits

Version: `v2025-01-13`	Includes use: Yes

Behavior name: Client Certificate Authentication

Sends a Client-To-Edge header to your origin server with details from the mutual TLS certificate sent from the requesting client to the edge network. This establishes transitive trust between the client and your origin server.

Default behavior

These samples reflect the behavior's default settings. You can use these as is in your configurations or make adjustments based on the behavior's available options.

data "akamai_property_rules_builder" "client_certificate_auth" {
  rules_v2025_02_18 {
    name     = "Client Certificate Authentication"
    comments = "Establishes transitive trust between the client and your origin server."
    behavior {
      client_certificate_auth {
        enable = false
      }
    }
  }
}

"behaviors": [
  {
  "name": "clientCertificateAuth",
    "options": {
      "enable": false
    }
  }
]

Options

Option	Description
`enable`	Boolean Constructs the `Client-To-Edge` authentication header using information from the client to edge mTLS handshake and forwards it to your origin. You can configure your origin to acknowledge the header to enable transitive trust. Some form of the client x.509 certificate needs to be included in the header. You can include the full certificate or specific attributes.
`enable_complete_client_certificate`	Boolean Whether to include the complete client certificate in the header, in its binary (DER) format. DER-formatted certificates leave out the `BEGIN CERTIFICATE/END CERTIFICATE` statements and most often use the `.der` extension. Alternatively, you can specify individual `client_certificate_attributes` you want included in the request.
`client_certificate_attributes`	String array Specify client certificate attributes to include in the `Client-To-Edge` authentication header that's sent to your origin server. Available attributes: `SUBJECT`. The distinguished name of the client certificate's public key, in the `Client-To-Edge` authentication header. `COMMON_NAME`. The common name (CN) that's been set in the client certificate, in the `Client-To-Edge` authentication header. `SHA256_FINGERPRINT`. An SHA-256 encrypted fingerprint of the client certificate, in the `Client-To-Edge` authentication header. `ISSUER`. The distinguished name of the entity that issued the certificate, in the `Client-To-Edge` authentication header.
`enable_client_certificate_validation_status`	Boolean Whether to include the current validation status of the client certificate in the `Client-To-Edge` authentication header. This verifies the validation status of the certificate, regardless of the certificate attributes you're including in the header.

Updated about 1 hour ago