• PassTLSClientCert
    • Configuration Examples
    • Configuration Options
      • General
      • pem
      • info
        • info.notAfter
        • info.notBefore
        • info.sans
        • info.subject
          • info.subject.country
          • info.subject.province
          • info.subject.locality
          • info.subject.organization
          • info.subject.commonName
          • info.subject.serialNumber
          • info.subject.domainComponent
        • info.issuer
          • info.issuer.country
          • info.issuer.province
          • info.issuer.locality
          • info.issuer.organization
          • info.issuer.commonName
          • info.issuer.serialNumber
          • info.issuer.domainComponent

    PassTLSClientCert

    Adding Client Certificates in a Header

    PassTLSClientCert adds in header the selected data from the passed client tls certificate.

    Configuration Examples

    Pass the escaped pem in the X-Forwarded-Tls-Client-Cert header.

    1. # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
    2. labels:
    3. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
    1. apiVersion: traefik.containo.us/v1alpha1
    2. kind: Middleware
    3. metadata:
    4.   name: addprefix
    5. spec:
    6.   passTLSClientCert:
    7.     pem: true
    1. "labels": {
    2.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem": "true"
    3. }
    1. # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
    2. labels:
    3. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.pem=true"
    1. # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
    2. [http.middlewares]
    3.   [http.middlewares.test-passtlsclientcert.passTLSClientCert]
    4.     pem = true
    1. # Pass the escaped pem in the `X-Forwarded-Tls-Client-Cert` header.
    2. http:
    3.   middlewares:
    4.     test-passtlsclientcert:
    5.       passTLSClientCert:
    6.         pem: true

    Pass the escaped pem in the X-Forwarded-Tls-Client-Cert header

    1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    2. labels:
    3. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
    4. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
    5. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
    6. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
    7. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
    8. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
    9. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
    10. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
    11. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
    12. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
    13. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
    14. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
    15. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
    16. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
    17. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
    18. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
    19. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
    1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    2. apiVersion: traefik.containo.us/v1alpha1
    3. kind: Middleware
    4. metadata:
    5.   name: test-passtlsclientcert
    6. spec:
    7.   passTLSClientCert:
    8.     info:
    9.       notAfter: true
    10.       notBefore: true
    11.       sans: true
    12.       subject:
    13.         country: true
    14.         province: true
    15.         locality: true
    16.         organization: true
    17.         commonName: true
    18.         serialNumber: true
    19.         domainComponent: true
    20.       issuer:
    21.         country: true
    22.         province: true
    23.         locality: true
    24.         organization: true
    25.         commonName: true
    26.         serialNumber: true
    27.         domainComponent: true
    1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    2. labels:
    3. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter=true"
    4. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore=true"
    5. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans=true"
    6. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname=true"
    7. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country=true"
    8. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent=true"
    9. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality=true"
    10. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization=true"
    11. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province=true"
    12. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber=true"
    13. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname=true"
    14. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country=true"
    15. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent=true"
    16. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality=true"
    17. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization=true"
    18. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province=true"
    19. - "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber=true"
    1. "labels": {
    2.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notafter": "true",
    3.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.notbefore": "true",
    4.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.sans": "true",
    5.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.commonname": "true",
    6.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.country": "true",
    7.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.domaincomponent": "true",
    8.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.locality": "true",
    9.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.organization": "true",
    10.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.province": "true",
    11.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.subject.serialnumber": "true",
    12.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.commonname": "true",
    13.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.country": "true",
    14.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.domaincomponent": "true",
    15.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.locality": "true",
    16.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.organization": "true",
    17.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.province": "true",
    18.   "traefik.http.middlewares.test-passtlsclientcert.passtlsclientcert.info.issuer.serialnumber": "true"
    19. }
    1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    2. [http.middlewares]
    3.   [http.middlewares.test-passtlsclientcert.passTLSClientCert]
    4.     [http.middlewares.test-passtlsclientcert.passTLSClientCert.info]
    5.       notAfter = true
    6.       notBefore = true
    7.       sans = true
    8.       [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.subject]
    9.         country = true
    10.         province = true
    11.         locality = true
    12.         organization = true
    13.         commonName = true
    14.         serialNumber = true
    15.         domainComponent = true
    16.       [http.middlewares.test-passtlsclientcert.passTLSClientCert.info.issuer]
    17.         country = true
    18.         province = true
    19.         locality = true
    20.         organization = true
    21.         commonName = true
    22.         serialNumber = true
    23.         domainComponent = true
    1. # Pass all the available info in the `X-Forwarded-Tls-Client-Cert-Info` header
    2. http:
    3.   middlewares:
    4.     test-passtlsclientcert:
    5.       passTLSClientCert:
    6.         info:
    7.           notAfter: true
    8.           notBefore: true
    9.           sans: true
    10.           subject:
    11.             country: true
    12.             province: true
    13.             locality: true
    14.             organization: true
    15.             commonName: true
    16.             serialNumber: true
    17.             domainComponent: true
    18.           issuer:
    19.             country: true
    20.             province: true
    21.             locality: true
    22.             organization: true
    23.             commonName: true
    24.             serialNumber: true
    25.             domainComponent: true

    Configuration Options

    General

    PassTLSClientCert can add two headers to the request:

    • X-Forwarded-Tls-Client-Cert that contains the escaped pem.
    • X-Forwarded-Tls-Client-Cert-Info that contains all the selected certificate information in an escaped string.

    Note

    The headers are filled with escaped string so it can be safely placed inside a URL query.

    In the following example, you can see a complete certificate. We will use each part of it to explain the middleware options.A complete client tls certificate

    1. Certificate:
    2.     Data:
    3.         Version: 3 (0x2)
    4.         Serial Number: 1 (0x1)
    5.         Signature Algorithm: sha1WithRSAEncryption
    6.         Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/[email protected]/[email protected]
    7.         Validity
    8.             Not Before: Dec  6 11:10:16 2018 GMT
    9.             Not After : Dec  5 11:10:16 2020 GMT
    10.         Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/[email protected]/[email protected]
    11.         Subject Public Key Info:
    12.             Public Key Algorithm: rsaEncryption
    13.                 RSA Public-Key: (2048 bit)
    14.                 Modulus:
    15.                     00:de:77:fa:8d:03:70:30:39:dd:51:1b:cc:60:db:
    16.                     a9:5a:13:b1:af:fe:2c:c6:38:9b:88:0a:0f:8e:d9:
    17.                     1b:a1:1d:af:0d:66:e4:13:5b:bc:5d:36:92:d7:5e:
    18.                     d0:fa:88:29:d3:78:e1:81:de:98:b2:a9:22:3f:bf:
    19.                     8a:af:12:92:63:d4:a9:c3:f2:e4:7e:d2:dc:a2:c5:
    20.                     39:1c:7a:eb:d7:12:70:63:2e:41:47:e0:f0:08:e8:
    21.                     dc:be:09:01:ec:28:09:af:35:d7:79:9c:50:35:d1:
    22.                     6b:e5:87:7b:34:f6:d2:31:65:1d:18:42:69:6c:04:
    23.                     11:83:fe:44:ae:90:92:2d:0b:75:39:57:62:e6:17:
    24.                     2f:47:2b:c7:53:dd:10:2d:c9:e3:06:13:d2:b9:ba:
    25.                     63:2e:3c:7d:83:6b:d6:89:c9:cc:9d:4d:bf:9f:e8:
    26.                     a3:7b:da:c8:99:2b:ba:66:d6:8e:f8:41:41:a0:c9:
    27.                     d0:5e:c8:11:a4:55:4a:93:83:87:63:04:63:41:9c:
    28.                     fb:68:04:67:c2:71:2f:f2:65:1d:02:5d:15:db:2c:
    29.                     d9:04:69:85:c2:7d:0d:ea:3b:ac:85:f8:d4:8f:0f:
    30.                     c5:70:b2:45:e1:ec:b2:54:0b:e9:f7:82:b4:9b:1b:
    31.                     2d:b9:25:d4:ab:ca:8f:5b:44:3e:15:dd:b8:7f:b7:
    32.                     ee:f9
    33.                 Exponent: 65537 (0x10001)
    34.         X509v3 extensions:
    35.             X509v3 Key Usage: critical
    36.                 Digital Signature, Key Encipherment
    37.             X509v3 Basic Constraints: 
    38.                 CA:FALSE
    39.             X509v3 Extended Key Usage: 
    40.                 TLS Web Server Authentication, TLS Web Client Authentication
    41.             X509v3 Subject Key Identifier: 
    42.                 94:BA:73:78:A2:87:FB:58:28:28:CF:98:3B:C2:45:70:16:6E:29:2F
    43.             X509v3 Authority Key Identifier: 
    44.                 keyid:1E:52:A2:E8:54:D5:37:EB:D5:A8:1D:E4:C2:04:1D:37:E2:F7:70:03
    46.             X509v3 Subject Alternative Name: 
    47.                 DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:[email protected], email:[email protected]
    48.     Signature Algorithm: sha1WithRSAEncryption
    49.          76:6b:05:b0:0e:34:11:b1:83:99:91:dc:ae:1b:e2:08:15:8b:
    50.          16:b2:9b:27:1c:02:ac:b5:df:1b:d0:d0:75:a4:2b:2c:5c:65:
    51.          ed:99:ab:f7:cd:fe:38:3f:c3:9a:22:31:1b:ac:8c:1c:c2:f9:
    52.          5d:d4:75:7a:2e:72:c7:85:a9:04:af:9f:2a:cc:d3:96:75:f0:
    53.          8e:c7:c6:76:48:ac:45:a4:b9:02:1e:2f:c0:15:c4:07:08:92:
    54.          cb:27:50:67:a1:c8:05:c5:3a:b3:a6:48:be:eb:d5:59:ab:a2:
    55.          1b:95:30:71:13:5b:0a:9a:73:3b:60:cc:10:d0:6a:c7:e5:d7:
    56.          8b:2f:f9:2e:98:f2:ff:81:14:24:09:e3:4b:55:57:09:1a:22:
    57.          74:f1:f6:40:13:31:43:89:71:0a:96:1a:05:82:1f:83:3a:87:
    58.          9b:17:25:ef:5a:55:f2:2d:cd:0d:4d:e4:81:58:b6:e3:8d:09:
    59.          62:9a:0c:bd:e4:e5:5c:f0:95:da:cb:c7:34:2c:34:5f:6d:fc:
    60.          60:7b:12:5b:86:fd:df:21:89:3b:48:08:30:bf:67:ff:8c:e6:
    61.          9b:53:cc:87:36:47:70:40:3b:d9:90:2a:d2:d2:82:c6:9c:f5:
    62.          d1:d8:e0:e6:fd:aa:2f:95:7e:39:ac:fc:4e:d4:ce:65:b3:ec:
    63.          c6:98:8a:31
    64. -----BEGIN CERTIFICATE-----
    65. MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
    66. ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
    67. ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
    68. Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
    69. AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
    70. IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
    71. DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
    72. D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
    73. Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
    74. NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
    75. MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
    76. BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
    77. HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
    78. ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
    79. A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
    80. VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
    81. MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
    82. EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
    83. AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
    84. iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
    85. KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
    86. yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
    87. BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
    88. Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
    89. A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
    90. BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
    91. BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
    92. Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
    93. Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
    94. FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
    95. KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
    96. CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
    97. mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
    98. ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
    99. -----END CERTIFICATE-----

    pem

    The pem option sets the X-Forwarded-Tls-Client-Cert header with the escape certificate.

    In the example, it is the part between ——-BEGIN CERTIFICATE——- and ——-END CERTIFICATE——- delimiters :The data used by the pem option

    1. -----BEGIN CERTIFICATE-----
    2. MIIGWjCCBUKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCCAYQxEzARBgoJkiaJk/Is
    3. ZAEZFgNvcmcxFjAUBgoJkiaJk/IsZAEZFgZjaGVlc2UxDzANBgNVBAoMBkNoZWVz
    4. ZTERMA8GA1UECgwIQ2hlZXNlIDIxHzAdBgNVBAsMFlNpbXBsZSBTaWduaW5nIFNl
    5. Y3Rpb24xITAfBgNVBAsMGFNpbXBsZSBTaWduaW5nIFNlY3Rpb24gMjEaMBgGA1UE
    6. AwwRU2ltcGxlIFNpZ25pbmcgQ0ExHDAaBgNVBAMME1NpbXBsZSBTaWduaW5nIENB
    7. IDIxCzAJBgNVBAYTAkZSMQswCQYDVQQGEwJVUzERMA8GA1UEBwwIVE9VTE9VU0Ux
    8. DTALBgNVBAcMBExZT04xFjAUBgNVBAgMDVNpZ25pbmcgU3RhdGUxGDAWBgNVBAgM
    9. D1NpZ25pbmcgU3RhdGUgMjEhMB8GCSqGSIb3DQEJARYSc2ltcGxlQHNpZ25pbmcu
    10. Y29tMSIwIAYJKoZIhvcNAQkBFhNzaW1wbGUyQHNpZ25pbmcuY29tMB4XDTE4MTIw
    11. NjExMTAxNloXDTIwMTIwNTExMTAxNlowggF2MRMwEQYKCZImiZPyLGQBGRYDb3Jn
    12. MRYwFAYKCZImiZPyLGQBGRYGY2hlZXNlMQ8wDQYDVQQKDAZDaGVlc2UxETAPBgNV
    13. BAoMCENoZWVzZSAyMR8wHQYDVQQLDBZTaW1wbGUgU2lnbmluZyBTZWN0aW9uMSEw
    14. HwYDVQQLDBhTaW1wbGUgU2lnbmluZyBTZWN0aW9uIDIxFTATBgNVBAMMDCouY2hl
    15. ZXNlLm9yZzEVMBMGA1UEAwwMKi5jaGVlc2UuY29tMQswCQYDVQQGEwJGUjELMAkG
    16. A1UEBhMCVVMxETAPBgNVBAcMCFRPVUxPVVNFMQ0wCwYDVQQHDARMWU9OMRkwFwYD
    17. VQQIDBBDaGVlc2Ugb3JnIHN0YXRlMRkwFwYDVQQIDBBDaGVlc2UgY29tIHN0YXRl
    18. MR4wHAYJKoZIhvcNAQkBFg9jZXJ0QGNoZWVzZS5vcmcxHzAdBgkqhkiG9w0BCQEW
    19. EGNlcnRAc2NoZWVzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
    20. AQDed/qNA3AwOd1RG8xg26laE7Gv/izGOJuICg+O2RuhHa8NZuQTW7xdNpLXXtD6
    21. iCnTeOGB3piyqSI/v4qvEpJj1KnD8uR+0tyixTkceuvXEnBjLkFH4PAI6Ny+CQHs
    22. KAmvNdd5nFA10Wvlh3s09tIxZR0YQmlsBBGD/kSukJItC3U5V2LmFy9HK8dT3RAt
    23. yeMGE9K5umMuPH2Da9aJycydTb+f6KN72siZK7pm1o74QUGgydBeyBGkVUqTg4dj
    24. BGNBnPtoBGfCcS/yZR0CXRXbLNkEaYXCfQ3qO6yF+NSPD8VwskXh7LJUC+n3grSb
    25. Gy25JdSryo9bRD4V3bh/t+75AgMBAAGjgeAwgd0wDgYDVR0PAQH/BAQDAgWgMAkG
    26. A1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQW
    27. BBSUunN4oof7WCgoz5g7wkVwFm4pLzAfBgNVHSMEGDAWgBQeUqLoVNU369WoHeTC
    28. BB034vdwAzBhBgNVHREEWjBYggwqLmNoZWVzZS5vcmeCDCouY2hlZXNlLm5ldIIM
    29. Ki5jaGVlc2UuY29thwQKAAEAhwQKAAECgQ90ZXN0QGNoZWVzZS5vcmeBD3Rlc3RA
    30. Y2hlZXNlLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAdmsFsA40EbGDmZHcrhviCBWL
    31. FrKbJxwCrLXfG9DQdaQrLFxl7Zmr983+OD/DmiIxG6yMHML5XdR1ei5yx4WpBK+f
    32. KszTlnXwjsfGdkisRaS5Ah4vwBXEBwiSyydQZ6HIBcU6s6ZIvuvVWauiG5UwcRNb
    33. CppzO2DMENBqx+XXiy/5Lpjy/4EUJAnjS1VXCRoidPH2QBMxQ4lxCpYaBYIfgzqH
    34. mxcl71pV8i3NDU3kgVi2440JYpoMveTlXPCV2svHNCw0X238YHsSW4b93yGJO0gI
    35. ML9n/4zmm1PMhzZHcEA72ZAq0tKCxpz10djg5v2qL5V+Oaz8TtTOZbPsxpiKMQ==
    36. -----END CERTIFICATE-----

    Extracted data

    The delimiters and \n will be removed.If there are more than one certificate, they are separated by a ";".

    X-Forwarded-Tls-Client-Cert value could exceed the web server header size limit

    The header size limit of web servers is commonly between 4kb and 8kb.You could change the server configuration to allow bigger header or use the info option with the needed field(s).

    info

    The info option select the specific client certificate details you want to add to the X-Forwarded-Tls-Client-Cert-Info header.The value of the header will be an escaped concatenation of all the selected certificate details.

    The following example shows an unescaped result that uses all the available fields: 

    1. Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094616,NA=1607166616,SAN=*.cheese.org,*.cheese.net,*.cheese.com,[email protected],[email protected],10.0.1.0,10.0.1.2

    Multiple certificates

    If there are more than one certificate, they are separated by a ;.

    info.notAfter

    Set the info.notAfter option to true to add the Not After information from the Validity part.

    The data are taken from the following certificate part: 

    1.     Validity
    2.         Not After : Dec  5 11:10:16 2020 GMT

    The escape notAfter info part will be like:

    1. NA=1607166616

    info.notBefore

    Set the info.notBefore option to true to add the Not Before information from the Validity part.

    The data are taken from the following certificate part:

    1. Validity
    2.     Not Before: Dec  6 11:10:16 2018 GMT

    The escape notBefore info part will be like:

    1. NB=1544094616

    info.sans

    Set the info.sans option to true to add the Subject Alternative Name information from the Subject Alternative Name part.

    The data are taken from the following certificate part:

    1.  X509v3 Subject Alternative Name: 
    2.     DNS:*.cheese.org, DNS:*.cheese.net, DNS:*.cheese.com, IP Address:10.0.1.0, IP Address:10.0.1.2, email:[email protected], email:[email protected]

    The escape SANs info part will be like:

    1. SAN=*.cheese.org,*.cheese.net,*.cheese.com,[email protected],[email protected],10.0.1.0,10.0.1.2

    multiple values

    All the SANs data are separated by a ,.

    info.subject

    The info.subject select the specific client certificate subject details you want to add to the X-Forwarded-Tls-Client-Cert-Info header.

    The data are taken from the following certificate part :

    1. Subject: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=*.cheese.org, CN=*.cheese.com, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Cheese org state, ST=Cheese com state/[email protected]/[email protected]
    info.subject.country

    Set the info.subject.country option to true to add the country information into the subject.The data are taken from the subject part with the C key.The escape country info in the subject part will be like :

    1. C=FR,C=US
    info.subject.province

    Set the info.subject.province option to true to add the province information into the subject.

    The data are taken from the subject part with the ST key.

    The escape province info in the subject part will be like :

    1. ST=Cheese org state,ST=Cheese com state
    info.subject.locality

    Set the info.subject.locality option to true to add the locality information into the subject.

    The data are taken from the subject part with the L key.

    The escape locality info in the subject part will be like :

    1. L=TOULOUSE,L=LYON
    info.subject.organization

    Set the info.subject.organization option to true to add the organization information into the subject.

    The data are taken from the subject part with the O key.

    The escape organization info in the subject part will be like :

    1. O=Cheese,O=Cheese 2
    info.subject.commonName

    Set the info.subject.commonName option to true to add the commonName information into the subject.

    The data are taken from the subject part with the CN key.

    The escape common name info in the subject part will be like :

    1. CN=*.cheese.com
    info.subject.serialNumber

    Set the info.subject.serialNumber option to true to add the serialNumber information into the subject.

    The data are taken from the subject part with the SN key.

    The escape serial number info in the subject part will be like :

    1. SN=1234567890
    info.subject.domainComponent

    Set the info.subject.domainComponent option to true to add the domainComponent information into the subject.

    The data are taken from the subject part with the DC key.

    The escape domaincomponent info in the subject part will be like :

    1. DC=org,DC=cheese

    info.issuer

    The info.issuer select the specific client certificate issuer details you want to add to the X-Forwarded-Tls-Client-Cert-Info header.

    The data are taken from the following certificate part :

    1. Issuer: DC=org, DC=cheese, O=Cheese, O=Cheese 2, OU=Simple Signing Section, OU=Simple Signing Section 2, CN=Simple Signing CA, CN=Simple Signing CA 2, C=FR, C=US, L=TOULOUSE, L=LYON, ST=Signing State, ST=Signing State 2/[email protected]/[email protected]
    info.issuer.country

    Set the info.issuer.country option to true to add the country information into the issuer.The data are taken from the issuer part with the C key.The escape country info in the issuer part will be like :

    1. C=FR,C=US
    info.issuer.province

    Set the info.issuer.province option to true to add the province information into the issuer.

    The data are taken from the issuer part with the ST key.

    The escape province info in the issuer part will be like :

    1. ST=Signing State,ST=Signing State 2
    info.issuer.locality

    Set the info.issuer.locality option to true to add the locality information into the issuer.

    The data are taken from the issuer part with the L key.

    The escape locality info in the issuer part will be like :

    1. L=TOULOUSE,L=LYON
    info.issuer.organization

    Set the info.issuer.organization option to true to add the organization information into the issuer.

    The data are taken from the issuer part with the O key.

    The escape organization info in the issuer part will be like :

    1. O=Cheese,O=Cheese 2
    info.issuer.commonName

    Set the info.issuer.commonName option to true to add the commonName information into the issuer.

    The data are taken from the issuer part with the CN key.

    The escape common name info in the issuer part will be like :

    1. CN=Simple Signing CA 2
    info.issuer.serialNumber

    Set the info.issuer.serialNumber option to true to add the serialNumber information into the issuer.

    The data are taken from the issuer part with the SN key.

    The escape serial number info in the issuer part will be like :

    1. SN=1234567890
    info.issuer.domainComponent

    Set the info.issuer.domainComponent option to true to add the domainComponent information into the issuer.

    The data are taken from the issuer part with the DC key.

    The escape domain component info in the issuer part will be like :

    1. DC=org,DC=cheese