What is X.509 TLS client-certificate authentication?

Home Help Users and browser apps

Client-Certificate Authentication is a mutual certificate based authentication, where users provide digital certificates compliant with the X.509 standards to the Verifalia servers to prove their identities, as part of the TLS protocol handshake; this is also called mutual or two-way TLS authentication. In fact, while TLS’s primary function on the Internet is to facilitate encryption and trust that allows a web browser to validate the authenticity of a web site, the protocol works the other way around too, with X.509 client certificates used to authenticate a client to the web server.

Using client-certificate authentication

Authenticating to Verifalia using a client certificate requires the user to have that authentication method enabled on the Authentication tab, as shown in the following screenshot:

How to enable X.509 client-certificate authentication

Each X.509 client certificate must also be bound to the requesting Verifalia user through the Client certificates interface (available by way of the Manage client certificates (X.509)... link on the Authentication tab): while it is possible to use client certificates signed by a public certificate authority, organizations often set up a private certificate authority to issue client certificates. Certificates signed by a public certificate authority are expensive and are generally unnecessary, as Verifalia uses client certificates just as a transport for the public key, whose authenticity is established by an out-of-band mechanims (PKI-less CCA). See also: how to create a self-signed X.509 client certificate for TLS mutual authentication?

Client certificates can be uploaded, managed and removed by way of the aforementioned Client certificates interface. While handling a client certificate file upload, we support base64-encoded format (usually found with the file extensions .pem, .crt and .cer) or binary format (DER, usually found with the file extensions .der and .cer). Also, for additional security and compliancy with the RFC 5280, we accept only X.509 client certificates including the extended key usage extension id-kp-clientAuth (OID 1.3.6.1.5.5.7.3.2).

Here is how the Client certificates interface looks like, with a client certificate bound:

Managing X.509 TLS client certificates in Verifalia

Client-certificate authentication is currently available for our API consumers only (and not through our web-based dashboard); also we currently accept a maximum of 5 client certificates per each Verifalia user.

API endpoints

Verifalia provides dedicated API endpoints for users authenticating using an X.509 client certificate: please see our API reference guide for additional details and sample usage.

Have questions?

We are ready to help you.

Visit our help center
A repository of technical and non-technical articles about Verifalia's services.
Help center
Send us a message
Contact us with any questions or comments: support is always free of charge.
Send a message
Want to chat?
Click the button below to chat live with one of our support team right now.
Online chat

Latest tweets - twitter.com/verifalia

Monday, April 8, 2024

Starting today, all users, not just Verifalia root accounts, can now use multi-factor authentication. 🛡️ Simply set it up through the Account -> Users menu in our client area. Adding an extra layer of security has never been easier!

Thursday, March 21, 2024

Version 1.11 of our free email verification widget is out now! 📧 Now with Pardot by SalesForce support, enhanced error squiggle display, and much more!

Check it out Documentation

Thursday, February 1, 2024

🚀 Our Email Verification Widget just got an upgrade to v1.10: embed with ease, no coding needed! Now with support for the latest Verifalia API, custom classification schemes, override rules, AI-powered typo corrections, and compatibility with Zoho Sites!

Lean more Documentation

Thursday, February 1, 2024

🚀 We have just released version 3.0 of our SDK for PHP, now fully compatible with Verifalia API v2.5. Unlock new capabilities like classification override rules, AI-powered suggestions, and flexible submission/retrieval wait times!

Source

From our blog