By configuring a client certificate, you can enable mutual TLS authentication (mTLS) on the link between the client and the Edge Security Acceleration (ESA) node, thereby enhancing the security level of client access.
Issue Client Certificates
You can directly use the CA provided by ESA to create a client certificate, then deploy the generated client certificate on your mobile app. We will generate a unique CA for each account, and all client certificates issued by ESA will be trusted by default by the node.
Create Certificate
In the ESA console, select Site Management, and click Site Name or the Action column's Details.
In the left navigation bar, select , and click Create Certificate.
Depending on your specific needs, select the CSR Generation Method, Private Key Type, and Certificate Validity Period.
NoteThe default validity period of a certificate is one year.
Click Confirm .
ImportantIn the Preview Certificate dialog box, click Copy Certificate and Copy Private Key and paste the content to your client. After you close the dialog box, the certificate and private key are no longer displayed elsewhere.
Bind Domain Name
In the ESA console, select Site Management, and click the Site Name or the Action column's Details.
In the left menu bar, click .
In the Client Certificate Section, within the Certificate Section, click Configuration.
Enter the domain name into the Domain Name Information box.
NoteYou can enter up to 50 domain names at a time.
The domain names must match the site.
Click Confirm .
Revoke Certificate
If you no longer use a certificate, you can revoke the certificate by using the following steps:
In the ESA console, select Site Management, and click Site Name or the Action column's Details.
Click the left menu bar's .
Select , and click Revoke.
In the pop-up dialog box, check the I Have Confirmed That This Certificate Is No Longer In Use option, and click Confirm.
Custom Certificate Issuance
In addition to using the client certificates issued by the ESA CA mentioned above, you can also use certificates issued through private channels. In this case, you need to configure the CA of the certificate.
Custom certificate issuance currently only supports the OpenAPI method, with a maximum of 5 CA certificates uploaded per package.
Procedure
Invoke the Upload Client mTLS CA Certificate interface to upload the CA root certificate and record the certificate ID returned in the OpenAPI response.
Invoke the Domain Name Binding interface to bind the effective host list for the CA certificate. Only bound hosts can use the mTLS feature and perform mTLS verification using the corresponding CA certificate.
Other OpenAPI related to custom mTLS certificate features are shown in the table below.
Interface Name
Interface Description
Upload a custom issued CA certificate.
Display all uploaded custom issued CA certificates.
Delete a custom issued CA certificate.
Query the details of a custom issued CA certificate.
Bind domain names for a custom issued CA certificate.
Query the domain name binding status of a custom issued CA certificate.
Intercept Authentication Failed Requests
You can intercept requests that fail client certificate authentication by configuring WAF rules.
Procedure
In the ESA console, select Site Management and click either the Site Name or the Action column's Details.
In the left navigation bar, click to access the custom rule configuration page.
Configure WAF custom rules.
Set the Verified Client Certificate to
.Enter the domain name you want to intercept in the Hostname field.
ImportantBe sure to configure the hostname condition. Otherwise, all requests that do not perform client certificate authentication or fail client authentication will be intercepted.
Set the Action to Intercept, or configure the Action according to your needs for other actions.
Click Confirm to complete the addition of the rule.
Once the rule is added, all requests to the domain names in the access rule will be intercepted and return a 403 status code if client certificate authentication is not performed or fails.