PassTLSClientCert

Adding Client Certificates in a Header

PassTLSClientCert adds the selected data from the passed client TLS certificate to a header.

Configuration Examples

Pass the escaped pem in the X-Forwarded-Tls-Client-Cert header.

Docker

  1. # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
  2. labels:
  3.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"

Kubernetes

  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: Middleware
  3. metadata:
  4.   name: test-passtlsclientcert
  5. spec:
  6.   passTLSClientCert:
  7.     pem: true

Consul Catalog

  1. # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header
  2. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"

Marathon

  1. "labels": {
  2.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem": "true"
  3. }

Rancher

  1. # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
  2. labels:
  3.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"

File (YAML)

  1. # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
  2. http:
  3.   middlewares:
  4.     test-passtlsclientcert:
  5.       passTLSClientCert:
  6.         pem: true

File (TOML)

  1. # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
  2. [http.middlewares]
  3.   [http.middlewares.test-passtlsclientcert.passTLSClientCert]
  4.     pem = true

Pass the escaped pem in the X-Forwarded-Tls-Client-Cert header

Docker

  1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
  2. labels:
  3.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
  4.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
  5.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
  6.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.serialnumber=true"
  7.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
  8.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
  9.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
  10.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
  11.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
  12.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
  13.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
  14.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
  15.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
  16.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
  17.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
  18.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
  19.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
  20.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
  21.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"

Kubernetes

  1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
  2. apiVersion: traefik.containo.us/v1alpha1
  3. kind: Middleware
  4. metadata:
  5.   name: test-passtlsclientcert
  6. spec:
  7.   passTLSClientCert:
  8.     info:
  9.       notAfter: true
  10.       notBefore: true
  11.       sans: true
  12.       subject:
  13.         country: true
  14.         province: true
  15.         locality: true
  16.         organization: true
  17.         organizationalUnit: true
  18.         commonName: true
  19.         serialNumber: true
  20.         domainComponent: true
  21.       issuer:
  22.         country: true
  23.         province: true
  24.         locality: true
  25.         organization: true
  26.         commonName: true
  27.         serialNumber: true
  28.         domainComponent: true

Consul Catalog

  1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
  2. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
  3. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
  4. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
  5. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
  6. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
  7. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
  8. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
  9. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
  10. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
  11. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
  12. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
  13. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
  14. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
  15. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
  16. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
  17. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
  18. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
  19. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"

Marathon

  1. "labels": {
  2.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter": "true",
  3.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore": "true",
  4.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans": "true",
  5.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname": "true",
  6.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country": "true",
  7.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent": "true",
  8.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality": "true",
  9.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization": "true",
  10.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit": "true",
  11.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province": "true",
  12.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber": "true",
  13.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname": "true",
  14.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country": "true",
  15.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent": "true",
  16.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality": "true",
  17.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization": "true",
  18.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province": "true",
  19.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
  20. }

Rancher

  1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
  2. labels:
  3.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
  4.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
  5.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
  6.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
  7.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
  8.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
  9.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
  10.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
  11.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organizationalunit=true"
  12.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
  13.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
  14.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
  15.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
  16.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
  17.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
  18.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
  19.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
  20.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"

File (YAML)

  1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
  2. http:
  3.   middlewares:
  4.     test-passtlsclientcert:
  5.       passTLSClientCert:
  6.         info:
  7.           notAfter: true
  8.           notBefore: true
  9.           sans: true
  10.           subject:
  11.             country: true
  12.             province: true
  13.             locality: true
  14.             organization: true
  15.             organizationalUnit: true
  16.             commonName: true
  17.             serialNumber: true
  18.             domainComponent: true
  19.           issuer:
  20.             country: true
  21.             province: true
  22.             locality: true
  23.             organization: true
  24.             commonName: true
  25.             serialNumber: true
  26.             domainComponent: true

File (TOML)

  1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
  2. [http.middlewares]
  3.   [http.middlewares.test-passtlsclientcert.passTLSClientCert]
  4.     [http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
  5.       notAfter = true
  6.       notBefore = true
  7.       sans = true
  8.       [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
  9.         country = true
  10.         province = true
  11.         locality = true
  12.         organization = true
  13.         organizationalUnit = true
  14.         commonName = true
  15.         serialNumber = true
  16.         domainComponent = true
  17.       [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
  18.         country = true
  19.         province = true
  20.         locality = true
  21.         organization = true
  22.         commonName = true
  23.         serialNumber = true
  24.         domainComponent = true

Configuration Options

General

PassTLSClientCert can add two headers to the request:

  • X-Forwarded-Tls-Client-Cert that contains the escaped pem.
  • X-Forwarded-Tls-Client-Cert-Info that contains all the selected certificate information in an escaped string.

Info

  • Each header value is a string that has been escaped in order to be a valid URL query.
  • These options only work accordingly to the MutualTLS configuration. That is to say, only the certificates that match the clientAuth.clientAuthType policy are passed.

The following example shows a complete certificate and explains each of the middleware options.

A complete client TLS certificate

  1. Certificate:
  2.     Data:
  3.         Version: 3 (0x2)
  4.         Serial Number: 1 (0x1)
  5.         Signature Algorithm: sha1WithRSAEncryption
  6.         Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/[email protected]/[email protected]
  7.         Validity
  8.             Not Before: Dec  6 11:10:16 2018 GMT
  9.             Not After : Dec  5 11:10:16 2020 GMT
  10.         Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/[email protected]/[email protected]
  11.         Subject Public Key Info:
  12.             Public Key Algorithm: rsaEncryption
  13.                 RSA Public-Key: (2048 bit)
  14.                 Modulus:
  15.                     00:de:77:fa:8d:03:70:30:39:dd:51:1b:cc:60:db:
  16.                     a9:5a:13:b1:af:fe:2c:c6:38:9b:88:0a:0f:8e:d9:
  17.                     1b:a1:1d:af:0d:66:e4:13:5b:bc:5d:36:92:d7:5e:
  18.                     d0:fa:88:29:d3:78:e1:81:de:98:b2:a9:22:3f:bf:
  19.                     8a:af:12:92:63:d4:a9:c3:f2:e4:7e:d2:dc:a2:c5:
  20.                     39:1c:7a:eb:d7:12:70:63:2e:41:47:e0:f0:08:e8:
  21.                     dc:be:09:01:ec:28:09:af:35:d7:79:9c:50:35:d1:
  22.                     6b:e5:87:7b:34:f6:d2:31:65:1d:18:42:69:6c:04:
  23.                     11:83:fe:44:ae:90:92:2d:0b:75:39:57:62:e6:17:
  24.                     2f:47:2b:c7:53:dd:10:2d:c9:e3:06:13:d2:b9:ba:
  25.                     63:2e:3c:7d:83:6b:d6:89:c9:cc:9d:4d:bf:9f:e8:
  26.                     a3:7b:da:c8:99:2b:ba:66:d6:8e:f8:41:41:a0:c9:
  27.                     d0:5e:c8:11:a4:55:4a:93:83:87:63:04:63:41:9c:
  28.                     fb:68:04:67:c2:71:2f:f2:65:1d:02:5d:15:db:2c:
  29.                     d9:04:69:85:c2:7d:0d:ea:3b:ac:85:f8:d4:8f:0f:
  30.                     c5:70:b2:45:e1:ec:b2:54:0b:e9:f7:82:b4:9b:1b:
  31.                     2d:b9:25:d4:ab:ca:8f:5b:44:3e:15:dd:b8:7f:b7:
  32.                     ee:f9
  33.                 Exponent: 65537 (0x10001)
  34.         X509v3 extensions:
  35.             X509v3 Key Usage: critical
  36.                 Digital Signature, Key Encipherment
  37.             X509v3 Basic Constraints:
  38.                 CA:FALSE
  39.             X509v3 Extended Key Usage:
  40.                 TLS Web Server Authentication, TLS Web Client Authentication
  41.             X509v3 Subject Key Identifier:
  42.                 94:BA:73:78:A2:87:FB:58:28:28:CF:98:3B:C2:45:70:16:6E:29:2F
  43.             X509v3 Authority Key Identifier:
  44.                 keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
  46.             X509v3 Subject Alternative Name:
  47.                 DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:[email protected], email:[email protected]
  48.     Signature Algorithm: sha1WithRSAEncryption
  49.          76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
  50.          16:b2:9b:27:1c:02:ac:b5:df:1b:d0:d0:75:a4:2b:2c:5c:65:
  51.          ed:99:ab:f7:cd:fe:38:3f:c3:9a:22:31:1b:ac:8c:1c:c2:f9:
  52.          5d:d4:75:7a:2e:72:c7:85:a9:04:af:9f:2a:cc:d3:96:75:f0:
  53.          8e:c7:c6:76:48:ac:45:a4:b9:02:1e:2f:c0:15:c4:07:08:92:
  54.          cb:27:50:67:a1:c8:05:c5:3a:b3:a6:48:be:eb:d5:59:ab:a2:
  55.          1b:95:30:71:13:5b:0a:9a:73:3b:60:cc:10:d0:6a:c7:e5:d7:
  56.          8b:2f:f9:2e:98:f2:ff:81:14:24:09:e3:4b:55:57:09:1a:22:
  57.          74:f1:f6:40:13:31:43:89:71:0a:96:1a:05:82:1f:83:3a:87:
  58.          9b:17:25:ef:5a:55:f2:2d:cd:0d:4d:e4:81:58:b6:e3:8d:09:
  59.          62:9a:0c:bd:e4:e5:5c:f0:95:da:cb:c7:34:2c:34:5f:6d:fc:
  60.          60:7b:12:5b:86:fd:df:21:89:3b:48:08:30:bf:67:ff:8c:e6:
  61.          9b:53:cc:87:36:47:70:40:3b:d9:90:2a:d2:d2:82:c6:9c:f5:
  62.          d1:d8:e0:e6:fd:aa:2f:95:7e:39:ac:fc:4e:d4:ce:65:b3:ec:
  63.          c6:98:8a:31
  64. -----BEGIN CERTIFICATE-----
  65. MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
  66. ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
  67. ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
  68. Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
  69. AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
  70. IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
  71. DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
  72. D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
  73. Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
  74. NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
  75. MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
  76. BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
  77. HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
  78. ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
  79. A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
  80. VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
  81. MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
  82. EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
  83. AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
  84. iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
  85. KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
  86. yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
  87. BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
  88. Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
  89. A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
  90. BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
  91. BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
  92. Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
  93. Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
  94. FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
  95. KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
  96. CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
  97. mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
  98. ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
  99. -----END CERTIFICATE-----

pem

The pem option sets the X-Forwarded-Tls-Client-Cert header with the escaped certificate.

In the example, it is the part between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- delimiters:

The data used by the pem option

  1. -----BEGIN CERTIFICATE-----
  2. MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
  3. ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
  4. ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
  5. Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
  6. AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
  7. IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
  8. DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
  9. D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
  10. Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
  11. NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
  12. MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
  13. BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
  14. HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
  15. ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
  16. A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
  17. VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
  18. MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
  19. EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
  20. AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
  21. iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
  22. KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
  23. yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
  24. BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
  25. Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
  26. A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
  27. BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
  28. BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
  29. Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
  30. Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
  31. FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
  32. KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
  33. CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
  34. mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
  35. ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
  36. -----END CERTIFICATE-----

Extracted data

The delimiters and \n will be removed. If there are more than one certificate, they are separated by a “,“.

X-Forwarded-Tls-Client-Cert value could exceed the web server header size limit

The header size limit of web servers is commonly between 4kb and 8kb. If that turns out to be a problem, and if reconfiguring the server to allow larger headers is not an option, one can alleviate the problem by selecting only the interesting parts of the cert, through the use of the info options described below. (And by setting pem to false).

info

The info option selects the specific client certificate details you want to add to the X-Forwarded-Tls-Client-Cert-Info header.

The value of the header is an escaped concatenation of all the selected certificate details. But in the following, unless specified otherwise, all the header values examples are shown unescaped, for readability.

The following example shows such a concatenation, when all the available fields are selected:

  1. Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,[email protected],[email protected],10.0.1.0,10.0.1.2"

Multiple certificates

If there are more than one certificate, they are separated by a ,.

info.serialNumber

Set the info.serialNumber option to true to add the Serial Number of the certificate.

The data is taken from the following certificate part:

  1. Serial Number:
  2.    6a:2f:20:f8:ce:8d:48:52:ba:d9:bb:be:60:ec:bf:79

And it is formatted as follows in the header (decimal representation):

  1. SerialNumber="141142874255168551917600297745052909433"

info.notAfter

Set the info.notAfter option to true to add the Not After information from the Validity part.

The data is taken from the following certificate part:

  1. Validity
  2.     Not After : Dec  5 11:10:16 2020 GMT

And it is formatted as follows in the header:

  1. NA="1607166616"

info.notBefore

Set the info.notBefore option to true to add the Not Before information from the Validity part.

The data is taken from the following certificate part:

  1. Validity
  2.     Not Before: Dec  6 11:10:16 2018 GMT

And it is formatted as follows in the header:

  1. NB="1544094616"

info.sans

Set the info.sans option to true to add the Subject Alternative Name information from the Subject Alternative Name part.

The data is taken from the following certificate part:

  1. X509v3 Subject Alternative Name:
  2.    DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:[email protected], email:[email protected]

And it is formatted as follows in the header:

  1. SAN="*.example.org,*.example.net,*.example.com,[email protected],[email protected],10.0.1.0,10.0.1.2"

Multiple values

The SANs are separated by a ,.

info.subject

The info.subject selects the specific client certificate subject details you want to add to the X-Forwarded-Tls-Client-Cert-Info header.

The data is taken from the following certificate part:

  1. Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/[email protected]/[email protected]
info.subject.country

Set the info.subject.country option to true to add the country information into the subject.

The data is taken from the subject part with the C key.

And it is formatted as follows in the header:

  1. C=FR,C=US
info.subject.province

Set the info.subject.province option to true to add the province information into the subject.

The data is taken from the subject part with the ST key.

And it is formatted as follows in the header:

  1. ST=Cheese org state,ST=Cheese com state
info.subject.locality

Set the info.subject.locality option to true to add the locality information into the subject.

The data is taken from the subject part with the L key.

And it is formatted as follows in the header:

  1. L=TOULOUSE,L=LYON
info.subject.organization

Set the info.subject.organization option to true to add the organization information into the subject.

The data is taken from the subject part with the O key.

And it is formatted as follows in the header:

  1. O=Cheese,O=Cheese 2
info.subject.organizationalUnit

Set the info.subject.organizationalUnit option to true to add the organizationalUnit information into the subject.

The data is taken from the subject part with the OU key.

And it is formatted as follows in the header:

  1. OU=Cheese Section,OU=Cheese Section 2
info.subject.commonName

Set the info.subject.commonName option to true to add the commonName information into the subject.

The data is taken from the subject part with the CN key.

And it is formatted as follows in the header:

  1. CN=*.example.com
info.subject.serialNumber

Set the info.subject.serialNumber option to true to add the serialNumber information into the subject.

The data is taken from the subject part with the SN key.

And it is formatted as follows in the header:

  1. SN=1234567890
info.subject.domainComponent

Set the info.subject.domainComponent option to true to add the domainComponent information into the subject.

The data is taken from the subject part with the DC key.

And it is formatted as follows in the header:

  1. DC=org,DC=cheese

info.issuer

The info.issuer selects the specific client certificate issuer details you want to add to the X-Forwarded-Tls-Client-Cert-Info header.

The data is taken from the following certificate part:

  1. Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/[email protected]/[email protected]
info.issuer.country

Set the info.issuer.country option to true to add the country information into the issuer.

The data is taken from the issuer part with the C key.

And it is formatted as follows in the header:

  1. C=FR,C=US
info.issuer.province

Set the info.issuer.province option to true to add the province information into the issuer.

The data is taken from the issuer part with the ST key.

And it is formatted as follows in the header:

  1. ST=Signing State,ST=Signing State 2
info.issuer.locality

Set the info.issuer.locality option to true to add the locality information into the issuer.

The data is taken from the issuer part with the L key.

And it is formatted as follows in the header:

  1. L=TOULOUSE,L=LYON
info.issuer.organization

Set the info.issuer.organization option to true to add the organization information into the issuer.

The data is taken from the issuer part with the O key.

And it is formatted as follows in the header:

  1. O=Cheese,O=Cheese 2
info.issuer.commonName

Set the info.issuer.commonName option to true to add the commonName information into the issuer.

The data is taken from the issuer part with the CN key.

And it is formatted as follows in the header:

  1. CN=Simple Signing CA 2
info.issuer.serialNumber

Set the info.issuer.serialNumber option to true to add the serialNumber information into the issuer.

The data is taken from the issuer part with the SN key.

And it is formatted as follows in the header:

  1. SN=1234567890
info.issuer.domainComponent

Set the info.issuer.domainComponent option to true to add the domainComponent information into the issuer.

The data is taken from the issuer part with the DC key.

And it is formatted as follows in the header:

  1. DC=org,DC=cheese