A certificate which authenticates a client or user towards a server or service.
Client certificates are commonly used to authenticate towards a service (e.g. website, VPN). It can be part of two factor authentication.
Questions tagged [client-certificate]
40 questions
7
votes
1 answer
How does one forward a client authentication certificate through HA proxy while terminating TLS?
I have a web API fronted by an HA Proxy load balancer. The web API uses client authentication certificates for identity authentication and authorization. I'd like the HA Proxy appliance to terminate the TLS connection and use normal HTTP on the…
Matt Hamsmith
- 183
- 1
- 7
6
votes
1 answer
AWS API Gateway Lambda Authorizers + Client certificates
I'm evaluating the use of client certificatates to improve security in an application i'm working on. It all run behind on AWS and pass through an API Gateway with an attached Lambda authorizer.
AWS documentation states that API Gateway do not…
Marcelo Falero
- 61
- 1
- 3
5
votes
1 answer
Debugging client certificate issues on IIS
We have an 2008R2 IIS server set up with a site configured to require client certificates. Our test client isn't working, and we're trying to debug why.
During the course of this, we've set up a new Server 2008 R2 box (yes, I know it's old, but this…
Chris J
- 1,218
- 18
- 32
4
votes
2 answers
Is it possible to get a browser to present a client side certificate even if the client cert isn't signed by the same CA as the server cert?
I'm in a strange scenario where I have a server with NodeJS backend and ReactJS frontend that does record keeping where the customer wants to use user certificates to ID who visits this internal site. The problem is they have a very large network,…
Grant Curell
- 1,043
- 6
- 19
2
votes
1 answer
Configure NGINX reverse proxy to verify client certificate custom field
I would like to verify a client certificate "custom" field directly with NGINX before returning it to the actual page.
As I understand from here:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client
it's easily achievable for…
Zakkojo
- 21
- 4
2
votes
1 answer
How to add checks for multiple specific ssl_client_fingerprints in Nginx configuration?
In addition to usual CA chain validation, I would like Nginx server section to permit specific client certificate thumbprints only.
I could find how to check for single fingerprint, but I'm not sure how to combine multiple fingerprints because Nginx…
JustAMartin
- 231
- 1
- 18
2
votes
1 answer
Add Client Certificate when acting as a reverse proxy
I basically have the exact same problem as Add Client certificate when acting as reverse proxy (Apache/NGINX) , but in my case there is no nginx that can help me out.
I want a certain location inside my virtual host to act as a reverse proxy for a…
Thomas Hilbert
- 123
- 1
- 4
2
votes
1 answer
Nginx: Change value of `ssl_verify_client` based on request IP
When setting up nginx with client-certificate config, ssl_verify_client should be set to on or optional. If we want to bypass verification for local users (like 192.168.0.0/24), we can use optional value. But this way, nginx still requests a…
Taha Jahangir
- 2,122
- 1
- 15
- 16
2
votes
1 answer
Configure postfix to enforce client certificate authentication for one domain
I have a postfix server which processes mails for several domains. The server is using TLS encryption if the client requests ist, but does currently not enforce it for compatibility reasons.
Now there's a new domain which this server should process…
TomS
- 175
- 1
- 1
- 9
2
votes
1 answer
Postfix client cert info not being passed to opendkim milter
I have a private postfix server that uses dovecot sasl to optionally authenticate submission clients, and I'm trying to set it up to also accept client certificates to allow it to act as a relay host for certain specific origin servers.
I've got it…
jcsanyi
- 123
- 5
2
votes
0 answers
NGINX Client Certificate with Indirect CRL
I'm trying to implement mTLS using Nginx SSL Module. Everything works fine until I give Nginx CRL files concatenated in PEM format because one of the CRL is an Indirect CRL.
The chain for a leaf certificate will look like this:
Root -> CA1 -> CA2 ->…
Romain V...
- 121
- 2
2
votes
1 answer
Lighttpd Client Certificate Authentication
I'm trying to enable client certificate authentication with lighttpd using my own internal windows CA's.
Disclaimer: I'm still very new to PKI :D
I have an offline root CA and a subordinate CA in my homelab. I've already imported the root CA into…
poppopretn
- 21
- 4
1
vote
1 answer
List all client certificates installed on user profiles in a domain
I'm taking initial steps to start securing a network, and I've come across the fact that a number of machines have Client Certificates for websites installed in the user client certificate store, locally, rather than through AD. These are from a…
Moof
- 11
- 1
- 4
1
vote
1 answer
Should I use a public or a internal CA for client certificate / mTLS?
I am configuring an Azure App Gateway for mutual authentication (mTLS). This question is more generally about when and when not to use public vs internal CAs for client certificates / mutual authentication / mTLS. The use case here is allowing…
ArchiDavid
- 13
- 3
1
vote
1 answer
Apache 2.4: Require client certificate only for non-GET methods
We have an internal service running on HTTP with an Apache 2.4 instance (Debian Bullseye) put in front of it as a proxy for HTTPS. Apache and HTTPS are up and running, but an additional requirement is for client certificates -- specifically, GET and…
T2PS
- 113
- 3