Class ClientCertificate


public class ClientCertificate extends ObjectWithJsonToString
Expectation criteria for matching the mutual-TLS client-certificate chain a request was received with.

The criteria are matched against the leaf certificate (index 0) of the request's clientCertificateChain — the client's own certificate, per RFC 5246 / RFC 8446, where the sender's certificate is always first in the chain. Intermediate and root CA certificates further down the chain are not matched here (the issuer criterion is the intended way to constrain the signing CA).

Each criterion is a NottableString so it supports the usual regex, ! negation and optional semantics:

  • subject — matches the leaf certificate's Common Name (CN), full subject Distinguished Name, or any Subject Alternative Name (DNS / IP / email / URI). A match against any of these is a match.
  • issuer — matches the leaf certificate's issuer Common Name (CN) or full issuer Distinguished Name.
  • fingerprintSha256 — matches the SHA-256 fingerprint of the leaf certificate's DER encoding. Both the matcher value and the computed fingerprint are normalised (colons and whitespace removed, compared case-insensitively) so AB:CD:... and abcd... are equivalent.
A request that presents no client-certificate chain never matches a non-blank ClientCertificate criterion.
Author:
jamesdbloom