Client Certificate Verification
Go to the Application SSL
page and click the edit button.
Here select Yes
or Optional
to enable the client certificate verification.
- Yes: Force client certificate verification, if there is no client certificate or incorrect client certificate, 400 error code will be returned directly.
- Optional: Optional client certificate verification, if there is no client
certificate or incorrect client certificate will not return 400 error code,
you need to use
Enable SSL Client Verify
action in the page rule for authentication.
If the client certificate is a self-signed certificate, you need to upload the CA certificate that issued it.
Enable Client Certificate Verification In Page Rules
You need to ensure that the option for client certificate verification is
Optional
.
Client certificate verification can be enabled flexibly according to different conditions in the page rules, for example, verification is enabled only when the URI prefix is /client-verify
.
We also provide Subject DN
and Issuer DN
in the client certificate as conditions that can distinguish different client certificates.
Subject DN
and Issuer DN
can be read with the openssl
command.
# subject DN
openssl x509 -subject -nameopt RFC2253 -noout -in client.crt
# issuer DN
openssl x509 -issuer -nameopt RFC2253 -noout -in client.crt
If we want to customize the client certificate verification error page, we can add Custom Error Page before enabling client certificate verification.