Client Certificate Verification

Go to the Application SSL page and click the edit button.

Here select Yes or Optional to enable the client certificate verification.

• Yes: Force client certificate verification, if there is no client certificate or incorrect client certificate, 400 error code will be returned directly.
• Optional: Optional client certificate verification, if there is no client certificate or incorrect client certificate will not return 400 error code, you need to use Enable SSL Client Verify action in the page rule for authentication.

If the client certificate is a self-signed certificate, you need to upload the CA certificate that issued it.

# Enable Client Certificate Verification In Page Rules

You need to ensure that the option for client certificate verification is Optional.

Client certificate verification can be enabled flexibly according to different conditions in the page rules, for example, verification is enabled only when the URI prefix is /client-verify.

We also provide Subject DN and Issuer DN in the client certificate as conditions that can distinguish different client certificates.

Subject DN and Issuer DN can be read with the openssl command.

# subject DN
openssl x509 -subject -nameopt RFC2253 -noout -in client.crt

# issuer DN
openssl x509 -issuer -nameopt RFC2253 -noout -in client.crt

If we want to customize the client certificate verification error page, we can add Custom Error Page before enabling client certificate verification.