PassTLSClientCert

Adding Client Certificates in a Header

PassTLSClientCert adds the selected data from the passed client TLS certificate to a header.

Configuration Examples

Pass the escaped pem in the X-Forwarded-Tls-Client-Cert header.

Docker

  1. # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
  2. labels:
  3.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"

Kubernetes

  1. apiVersion: traefik.containo.us/v1alpha1
  2. kind: Middleware
  3. metadata:
  4.   name: addprefix
  5. spec:
  6.   passTLSClientCert:
  7.     pem: true

Consul Catalog

  1. # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header
  2. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"

Marathon

  1. "labels": {
  2.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem": "true"
  3. }

Rancher

  1. # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
  2. labels:
  3.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"

File (YAML)

  1. # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
  2. http:
  3.   middlewares:
  4.     test-passtlsclientcert:
  5.       passTLSClientCert:
  6.         pem: true

File (TOML)

  1. # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
  2. [http.middlewares]
  3.   [http.middlewares.test-passtlsclientcert.passTLSClientCert]
  4.     pem = true

Pass the escaped pem in the X-Forwarded-Tls-Client-Cert header

Docker

  1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
  2. labels:
  3.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
  4.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
  5.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
  6.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.serialnumber=true"
  7.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
  8.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
  9.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
  10.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
  11.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
  12.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
  13.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
  14.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
  15.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
  16.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
  17.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
  18.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
  19.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
  20.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"

Kubernetes

  1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
  2. apiVersion: traefik.containo.us/v1alpha1
  3. kind: Middleware
  4. metadata:
  5.   name: test-passtlsclientcert
  6. spec:
  7.   passTLSClientCert:
  8.     info:
  9.       notAfter: true
  10.       notBefore: true
  11.       sans: true
  12.       subject:
  13.         country: true
  14.         province: true
  15.         locality: true
  16.         organization: true
  17.         commonName: true
  18.         serialNumber: true
  19.         domainComponent: true
  20.       issuer:
  21.         country: true
  22.         province: true
  23.         locality: true
  24.         organization: true
  25.         commonName: true
  26.         serialNumber: true
  27.         domainComponent: true

Consul Catalog

  1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
  2. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
  3. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
  4. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
  5. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
  6. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
  7. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
  8. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
  9. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
  10. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
  11. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
  12. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
  13. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
  14. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
  15. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
  16. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
  17. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
  18. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"

Marathon

  1. "labels": {
  2.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter": "true",
  3.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore": "true",
  4.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans": "true",
  5.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname": "true",
  6.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country": "true",
  7.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent": "true",
  8.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality": "true",
  9.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization": "true",
  10.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province": "true",
  11.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber": "true",
  12.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname": "true",
  13.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country": "true",
  14.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent": "true",
  15.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality": "true",
  16.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization": "true",
  17.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province": "true",
  18.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
  19. }

Rancher

  1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
  2. labels:
  3.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
  4.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
  5.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
  6.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
  7.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
  8.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
  9.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
  10.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
  11.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
  12.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
  13.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
  14.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
  15.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
  16.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
  17.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
  18.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
  19.   - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"

File (YAML)

  1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
  2. http:
  3.   middlewares:
  4.     test-passtlsclientcert:
  5.       passTLSClientCert:
  6.         info:
  7.           notAfter: true
  8.           notBefore: true
  9.           sans: true
  10.           subject:
  11.             country: true
  12.             province: true
  13.             locality: true
  14.             organization: true
  15.             commonName: true
  16.             serialNumber: true
  17.             domainComponent: true
  18.           issuer:
  19.             country: true
  20.             province: true
  21.             locality: true
  22.             organization: true
  23.             commonName: true
  24.             serialNumber: true
  25.             domainComponent: true

File (TOML)

  1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
  2. [http.middlewares]
  3.   [http.middlewares.test-passtlsclientcert.passTLSClientCert]
  4.     [http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
  5.       notAfter = true
  6.       notBefore = true
  7.       sans = true
  8.       [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
  9.         country = true
  10.         province = true
  11.         locality = true
  12.         organization = true
  13.         commonName = true
  14.         serialNumber = true
  15.         domainComponent = true
  16.       [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
  17.         country = true
  18.         province = true
  19.         locality = true
  20.         organization = true
  21.         commonName = true
  22.         serialNumber = true
  23.         domainComponent = true

Configuration Options

General

PassTLSClientCert can add two headers to the request:

  • X-Forwarded-Tls-Client-Cert that contains the escaped pem.
  • X-Forwarded-Tls-Client-Cert-Info that contains all the selected certificate information in an escaped string.

Info

  • The headers are filled with escaped string so it can be safely placed inside a URL query.
  • These options only work accordingly to the MutualTLS configuration. That is to say, only the certificates that match the clientAuth.clientAuthType policy are passed.

The following example shows a complete certificate and explains each of the middleware options.

A complete client TLS certificate

  1. Certificate:
  2.     Data:
  3.         Version: 3 (0x2)
  4.         Serial Number: 1 (0x1)
  5.         Signature Algorithm: sha1WithRSAEncryption
  6.         Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
  7.         Validity
  8.             Not Before: Dec  6 11:10:16 2018 GMT
  9.             Not After : Dec  5 11:10:16 2020 GMT
  10.         Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
  11.         Subject Public Key Info:
  12.             Public Key Algorithm: rsaEncryption
  13.                 RSA Public-Key: (2048 bit)
  14.                 Modulus:
  15.                     00:de:77:fa:8d:03:70:30:39:dd:51:1b:cc:60:db:
  16.                     a9:5a:13:b1:af:fe:2c:c6:38:9b:88:0a:0f:8e:d9:
  17.                     1b:a1:1d:af:0d:66:e4:13:5b:bc:5d:36:92:d7:5e:
  18.                     d0:fa:88:29:d3:78:e1:81:de:98:b2:a9:22:3f:bf:
  19.                     8a:af:12:92:63:d4:a9:c3:f2:e4:7e:d2:dc:a2:c5:
  20.                     39:1c:7a:eb:d7:12:70:63:2e:41:47:e0:f0:08:e8:
  21.                     dc:be:09:01:ec:28:09:af:35:d7:79:9c:50:35:d1:
  22.                     6b:e5:87:7b:34:f6:d2:31:65:1d:18:42:69:6c:04:
  23.                     11:83:fe:44:ae:90:92:2d:0b:75:39:57:62:e6:17:
  24.                     2f:47:2b:c7:53:dd:10:2d:c9:e3:06:13:d2:b9:ba:
  25.                     63:2e:3c:7d:83:6b:d6:89:c9:cc:9d:4d:bf:9f:e8:
  26.                     a3:7b:da:c8:99:2b:ba:66:d6:8e:f8:41:41:a0:c9:
  27.                     d0:5e:c8:11:a4:55:4a:93:83:87:63:04:63:41:9c:
  28.                     fb:68:04:67:c2:71:2f:f2:65:1d:02:5d:15:db:2c:
  29.                     d9:04:69:85:c2:7d:0d:ea:3b:ac:85:f8:d4:8f:0f:
  30.                     c5:70:b2:45:e1:ec:b2:54:0b:e9:f7:82:b4:9b:1b:
  31.                     2d:b9:25:d4:ab:ca:8f:5b:44:3e:15:dd:b8:7f:b7:
  32.                     ee:f9
  33.                 Exponent: 65537 (0x10001)
  34.         X509v3 extensions:
  35.             X509v3 Key Usage: critical
  36.                 Digital Signature, Key Encipherment
  37.             X509v3 Basic Constraints:
  38.                 CA:FALSE
  39.             X509v3 Extended Key Usage:
  40.                 TLS Web Server Authentication, TLS Web Client Authentication
  41.             X509v3 Subject Key Identifier:
  42.                 94:BA:73:78:A2:87:FB:58:28:28:CF:98:3B:C2:45:70:16:6E:29:2F
  43.             X509v3 Authority Key Identifier:
  44.                 keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
  46.             X509v3 Subject Alternative Name:
  47.                 DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net
  48.     Signature Algorithm: sha1WithRSAEncryption
  49.          76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
  50.          16:b2:9b:27:1c:02:ac:b5:df:1b:d0:d0:75:a4:2b:2c:5c:65:
  51.          ed:99:ab:f7:cd:fe:38:3f:c3:9a:22:31:1b:ac:8c:1c:c2:f9:
  52.          5d:d4:75:7a:2e:72:c7:85:a9:04:af:9f:2a:cc:d3:96:75:f0:
  53.          8e:c7:c6:76:48:ac:45:a4:b9:02:1e:2f:c0:15:c4:07:08:92:
  54.          cb:27:50:67:a1:c8:05:c5:3a:b3:a6:48:be:eb:d5:59:ab:a2:
  55.          1b:95:30:71:13:5b:0a:9a:73:3b:60:cc:10:d0:6a:c7:e5:d7:
  56.          8b:2f:f9:2e:98:f2:ff:81:14:24:09:e3:4b:55:57:09:1a:22:
  57.          74:f1:f6:40:13:31:43:89:71:0a:96:1a:05:82:1f:83:3a:87:
  58.          9b:17:25:ef:5a:55:f2:2d:cd:0d:4d:e4:81:58:b6:e3:8d:09:
  59.          62:9a:0c:bd:e4:e5:5c:f0:95:da:cb:c7:34:2c:34:5f:6d:fc:
  60.          60:7b:12:5b:86:fd:df:21:89:3b:48:08:30:bf:67:ff:8c:e6:
  61.          9b:53:cc:87:36:47:70:40:3b:d9:90:2a:d2:d2:82:c6:9c:f5:
  62.          d1:d8:e0:e6:fd:aa:2f:95:7e:39:ac:fc:4e:d4:ce:65:b3:ec:
  63.          c6:98:8a:31
  64. -----BEGIN CERTIFICATE-----
  65. MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
  66. ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
  67. ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
  68. Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
  69. AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
  70. IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
  71. DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
  72. D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
  73. Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
  74. NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
  75. MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
  76. BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
  77. HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
  78. ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
  79. A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
  80. VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
  81. MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
  82. EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
  83. AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
  84. iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
  85. KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
  86. yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
  87. BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
  88. Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
  89. A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
  90. BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
  91. BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
  92. Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
  93. Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
  94. FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
  95. KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
  96. CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
  97. mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
  98. ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
  99. -----END CERTIFICATE-----

pem

The pem option sets the X-Forwarded-Tls-Client-Cert header with the escaped certificate.

In the example, it is the part between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- delimiters:

The data used by the pem option

  1. -----BEGIN CERTIFICATE-----
  2. MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
  3. ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
  4. ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
  5. Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
  6. AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
  7. IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
  8. DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
  9. D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
  10. Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
  11. NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
  12. MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
  13. BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
  14. HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
  15. ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
  16. A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
  17. VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
  18. MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
  19. EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
  20. AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
  21. iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
  22. KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
  23. yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
  24. BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
  25. Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
  26. A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
  27. BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
  28. BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
  29. Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
  30. Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
  31. FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
  32. KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
  33. CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
  34. mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
  35. ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
  36. -----END CERTIFICATE-----

Extracted data

The delimiters and \n will be removed. If there are more than one certificate, they are separated by a “,“.

X-Forwarded-Tls-Client-Cert value could exceed the web server header size limit

The header size limit of web servers is commonly between 4kb and 8kb. You could change the server configuration to allow bigger header or use the info option with the needed field(s).

info

The info option selects the specific client certificate details you want to add to the X-Forwarded-Tls-Client-Cert-Info header.

The value of the header is an escaped concatenation of all the selected certificate details.

The following example shows an unescaped result that uses all the available fields:

  1. Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.example.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"

Multiple certificates

If there are more than one certificate, they are separated by a ,.

info.notAfter

Set the info.notAfter option to true to add the Not After information from the Validity part.

The data is taken from the following certificate part:

  1.     Validity
  2.         Not After : Dec  5 11:10:16 2020 GMT

The escaped notAfter info part is formatted as below:

  1. NA="1607166616"

info.notBefore

Set the info.notBefore option to true to add the Not Before information from the Validity part.

The data is taken from the following certificate part:

  1. Validity
  2.     Not Before: Dec  6 11:10:16 2018 GMT

The escaped notBefore info part is formatted as below:

  1. NB="1544094616"

info.sans

Set the info.sans option to true to add the Subject Alternative Name information from the Subject Alternative Name part.

The data is taken from the following certificate part:

  1.  X509v3 Subject Alternative Name:
  2.     DNS:*.example.org, DNS:*.example.net, DNS:*.example.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:test@example.org, email:test@example.net

The escape SANs info part is formatted as below:

  1. SAN="*.example.org,*.example.net,*.example.com,test@example.org,test@example.net,10.0.1.0,10.0.1.2"

Multiple values

The SANs are separated by a ,.

info.subject

The info.subject selects the specific client certificate subject details you want to add to the X-Forwarded-Tls-Client-Cert-Info header.

The data is taken from the following certificate part:

  1. Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.example.org, CN=*.example.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/emailAddress=cert@example.org/emailAddress=cert@sexample.com
info.subject.country

Set the info.subject.country option to true to add the country information into the subject.

The data is taken from the subject part with the C key.

The escape country info in the subject part is formatted as below:

  1. C=FR,C=US
info.subject.province

Set the info.subject.province option to true to add the province information into the subject.

The data is taken from the subject part with the ST key.

The escape province info in the subject part is formatted as below:

  1. ST=Cheese org state,ST=Cheese com state
info.subject.locality

Set the info.subject.locality option to true to add the locality information into the subject.

The data is taken from the subject part with the L key.

The escape locality info in the subject part is formatted as below:

  1. L=TOULOUSE,L=LYON
info.subject.organization

Set the info.subject.organization option to true to add the organization information into the subject.

The data is taken from the subject part with the O key.

The escape organization info in the subject part is formatted as below:

  1. O=Cheese,O=Cheese 2
info.subject.commonName

Set the info.subject.commonName option to true to add the commonName information into the subject.

The data is taken from the subject part with the CN key.

The escape common name info in the subject part is formatted as below:

  1. CN=*.example.com
info.subject.serialNumber

Set the info.subject.serialNumber option to true to add the serialNumber information into the subject.

The data is taken from the subject part with the SN key.

The escape serial number info in the subject part is formatted as below:

  1. SN=1234567890
info.subject.domainComponent

Set the info.subject.domainComponent option to true to add the domainComponent information into the subject.

The data is taken from the subject part with the DC key.

The escape domain component info in the subject part is formatted as below:

  1. DC=org,DC=cheese

info.issuer

The info.issuer selects the specific client certificate issuer details you want to add to the X-Forwarded-Tls-Client-Cert-Info header.

The data is taken from the following certificate part:

  1. Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/emailAddress=simple@signing.com/emailAddress=simple2@signing.com
info.issuer.country

Set the info.issuer.country option to true to add the country information into the issuer.

The data is taken from the issuer part with the C key.

The escape country info in the issuer part is formatted as below:

  1. C=FR,C=US
info.issuer.province

Set the info.issuer.province option to true to add the province information into the issuer.

The data is taken from the issuer part with the ST key.

The escape province info in the issuer part is formatted as below:

  1. ST=Signing State,ST=Signing State 2
info.issuer.locality

Set the info.issuer.locality option to true to add the locality information into the issuer.

The data is taken from the issuer part with the L key.

The escape locality info in the issuer part is formatted as below:

  1. L=TOULOUSE,L=LYON
info.issuer.organization

Set the info.issuer.organization option to true to add the organization information into the issuer.

The data is taken from the issuer part with the O key.

The escape organization info in the issuer part is formatted as below:

  1. O=Cheese,O=Cheese 2
info.issuer.commonName

Set the info.issuer.commonName option to true to add the commonName information into the issuer.

The data is taken from the issuer part with the CN key.

The escape common name info in the issuer part is formatted as below:

  1. CN=Simple Signing CA 2
info.issuer.serialNumber

Set the info.issuer.serialNumber option to true to add the serialNumber information into the issuer.

The data is taken from the issuer part with the SN key.

The escape serial number info in the issuer part is formatted as below:

  1. SN=1234567890
info.issuer.domainComponent

Set the info.issuer.domainComponent option to true to add the domainComponent information into the issuer.

The data is taken from the issuer part with the DC key.

The escape domain component info in the issuer part is formatted as below:

  1. DC=org,DC=cheese