What is X.509 TLS client-certificate authentication?

Client-Certificate Authentication is a mutual certificate based authentication, where users provide digital certificates compliant with the X.509 standards to the Verifalia servers to prove their identities, as part of the TLS protocol handshake; this is also called mutual or two-way TLS authentication. In fact, while TLSโ€™s primary function on the Internet is to facilitate encryption and trust that allows a web browser to validate the authenticity of a web site, the protocol works the other way around too, with X.509 client certificates used to authenticate a client to the web server.

Using client-certificate authentication

Authenticating to Verifalia using a client certificate requires the user to have that authentication method enabled on the Authentication tab, as shown in the following screenshot:

How to enable X.509 client-certificate authentication

Each X.509 client certificate must also be bound to the requesting Verifalia user through the Client certificates interface (available by way of the Manage client certificates (X.509)... link on the Authentication tab): while it is possible to use client certificates signed by a public certificate authority, organizations often set up a private certificate authority to issue client certificates. Certificates signed by a public certificate authority are expensive and are generally unnecessary, as Verifalia uses client certificates just as a transport for the public key, whose authenticity is established by an out-of-band mechanims (PKI-less CCA). See also: how to create a self-signed X.509 client certificate for TLS mutual authentication?

Client certificates can be uploaded, managed and removed by way of the aforementioned Client certificates interface. While handling a client certificate file upload, we support base64-encoded format (usually found with the file extensions .pem, .crt and .cer) or binary format (DER, usually found with the file extensions .der and .cer). Also, for additional security and compliancy with the RFC 5280, we accept only X.509 client certificates including the extended key usage extension id-kp-clientAuth (OID 1.3.6.1.5.5.7.3.2).

Here is how the Client certificates interface looks like, with a client certificate bound:

Managing X.509 TLS client certificates in Verifalia

Client-certificate authentication is currently available for our API consumers only (and not through our web-based dashboard); also we currently accept a maximum of 5 client certificates per each Verifalia user.

API endpoints

Verifalia provides dedicated API endpoints for users authenticating using an X.509 client certificate: please see our API reference guide for additional details and sample usage.


Have questions?

We are ready to help you.

Visit our help center
A repository of technical and non-technical articles about Verifalia's services.
Send us a message
Contact us with any questions or comments: support is always free of charge.

Want to chat?
Click the button below to chat live with one of our support team right now.