Client Certificate Verification

Go to the Application SSL page and click the edit button.

Here select Yes or Optional to enable the client certificate verification.

  • Yes: Force client certificate verification, if there is no client certificate or incorrect client certificate, 400 error code will be returned directly.
  • Optional: Optional client certificate verification, if there is no client certificate or incorrect client certificate will not return 400 error code, you need to use Enable SSL Client Verify action in the page rule for authentication.

If the client certificate is a self-signed certificate, you need to upload the CA certificate that issued it.

Enable Client Certificate Verification In Page Rules

You need to ensure that the option for client certificate verification is Optional.

Client certificate verification can be enabled flexibly according to different conditions in the page rules, for example, verification is enabled only when the URI prefix is /client-verify.

We also provide Client Serial Number, Subject DN and Issuer DN in the client certificate as conditions that can distinguish different client certificates.

Serial Number Subject DN and Issuer DN can be read with the openssl command.

# serial number
openssl x509 -serial -nameopt RFC2253 -noout -in client.crt

# subject DN
openssl x509 -subject -nameopt RFC2253 -noout -in client.crt

# issuer DN
openssl x509 -issuer -nameopt RFC2253 -noout -in client.crt

If we want to customize the client certificate verification error page, we can add Custom Error Page before enabling client certificate verification.

Verify Client Certificate Serial Number with the global Lua module

If you need to check the revoked serial numbers in the CRL certificate revocation list, you can add a global Lua module and call it via Edgelang.

This can be done via the Python SDK to generate this global Lua module for dynamic updates.

import sys

from edge2client import Edge2Client

client = Edge2Client('https://your-admin-addr', 'your-admin-user', 'your-admin-password')

crl_files = ["~/test.crl"]
code = client. conv_crl_to_lua_module(crl_files)

client.login()

partition_id = 1
name = "crl_test.com"

# for the first time, we need to create the module first
result = client.new_partition_lua_module(partition_id, name, code)
mod_id = result["id"]

# for the second time, we need to update the module with mod_id from the first creation
result = client.put_partition_lua_module(partition_id, mod_id, name, code)
print(result)

Save the above code as serial-num.py, and then run python3 serial-num.py. You will see the new module in your admin page like below.

For example, if you add a global Lua module with the name crl_test.com, you can call it with the following Edgelang.

true =>
    foreign-call(module: "crl_test.com", func: "verify_client_serial");

Translated with www.DeepL.com/Translator (free version)