GuideReference
Guide

enforce_​mtls_​settings

Suggest Edits
  • Property Manager name: Enforce mTLS settings
  • Behavior version: The v2025-01-13 rule format supports the enforce_​mtls_​settings behavior v1.0.
  • Rule format status: GA, stable
  • Access: Read/Write
  • Allowed in includes: Yes

This behavior repeats m​TLS validation checks between a requesting client and the edge network. If the checks fail, you can deny the request or apply custom error handling. To use this behavior, you need to add either the hostname or client​_certificate criteria to the same rule.

OptionTypeDescriptionRequires
enable_​auth_​setboolean

Whether to require a specific mutual transport layer security (m​TLS) certificate authority (CA) set in a request from a client to the edge network.

{"displayType":"boolean","tag":"input","type":"checkbox"}
certificate_​authority_​setstring 
Specify the client certificate authority (CA) sets you want to support in client requests. Run the List CA Sets operation in the m​TLS Edge Trust​Store API to get the set​Id value and pass it in this option as a string. If a request includes a set not defined here, it will be denied. The preset list items you can select are contingent on the CA sets you've created using the m​TLS Edge Truststore, and then associated with a certificate in the Certificate Provisioning System.
enable_​auth_​set is true
{"displayType":"string","tag":"input","type":"text"}
{"if":{"attribute":"enableAuthSet","op":"eq","value":true}}
enable_​ocsp_​statusboolean 
Whether the mutual transport layer security requests from a client should use the online certificate support protocol (OCSP). OCSP can determine the x.​509 certificate revocation status during the TLS handshake.
{"displayType":"boolean","tag":"input","type":"checkbox"}
enable_​deny_​requestboolean 
This denies a request from a client that doesn't match what you've set for the options in this behavior. When disabled, non-matching requests are allowed, but you can incorporate a custom handling operation, such as reviewing generated log entries to see the discrepancies, enable the Client-To-Edge authentication header, or issue a custom message.
enable_​auth_​set is true
OR enable_​ocsp_​status is true
{"displayType":"boolean","tag":"input","type":"checkbox"}
{"if":{"op":"or","params":[{"attribute":"enableAuthSet","op":"eq","value":true},{"attribute":"enableOcspStatus","op":"eq","value":true}]}}
Updated about 1 month ago