All Products
Search
Document Center

Edge Security Acceleration:Client Certificate

Last Updated:Feb 25, 2025

By configuring a client certificate, you can enable mutual TLS authentication (mTLS) on the link between the client and the Edge Security Acceleration (ESA) node, thereby enhancing the security level of client access.

Issue Client Certificates

You can directly use the CA provided by ESA to create a client certificate, then deploy the generated client certificate on your mobile app. We will generate a unique CA for each account, and all client certificates issued by ESA will be trusted by default by the node.

Create Certificate

  1. In the ESA console, select Site Management, and click Site Name or the Action column's Details.

  2. In the left navigation bar, select SSL/TLS > Client Certificate, and click Create Certificate.

  3. Depending on your specific needs, select the CSR Generation Method, Private Key Type, and Certificate Validity Period.

    Note

    The default validity period of a certificate is one year.

  4. Click Confirm .

    Important

    In the Preview Certificate dialog box, click Copy Certificate and Copy Private Key and paste the content to your client. After you close the dialog box, the certificate and private key are no longer displayed elsewhere.

Bind Domain Name

  1. In the ESA console, select Site Management, and click the Site Name or the Action column's Details.

  2. In the left menu bar, click SSL/TLS > Client Certificate.

  3. In the Client Certificate Section, within the Certificate Section, click Configuration.

  4. Enter the domain name into the Domain Name Information box.

    Note
    • You can enter up to 50 domain names at a time.

    • The domain names must match the site.

  5. Click Confirm .

Revoke Certificate

If you no longer use a certificate, you can revoke the certificate by using the following steps:

  1. In the ESA console, select Site Management, and click Site Name or the Action column's Details.

  2. Click the left menu bar's SSL/TLS > Client Certificate.

  3. Select Client Certificate > Action, and click Revoke.

  4. In the pop-up dialog box, check the I Have Confirmed That This Certificate Is No Longer In Use option, and click Confirm.

Custom Certificate Issuance

In addition to using the client certificates issued by the ESA CA mentioned above, you can also use certificates issued through private channels. In this case, you need to configure the CA of the certificate.

Note

Custom certificate issuance currently only supports the OpenAPI method, with a maximum of 5 CA certificates uploaded per package.

Procedure

  1. Invoke the Upload Client mTLS CA Certificate interface to upload the CA root certificate and record the certificate ID returned in the OpenAPI response.

  2. Invoke the Domain Name Binding interface to bind the effective host list for the CA certificate. Only bound hosts can use the mTLS feature and perform mTLS verification using the corresponding CA certificate.

  3. Other OpenAPI related to custom mTLS certificate features are shown in the table below.

    Interface Name

    Interface Description

    UploadClientCaCertificate

    Upload a custom issued CA certificate.

    ListClientCaCertificates

    Display all uploaded custom issued CA certificates.

    DeleteClientCaCertificate

    Delete a custom issued CA certificate.

    GetClientCaCertificate

    Query the details of a custom issued CA certificate.

    SetClientCertificateHostnames

    Bind domain names for a custom issued CA certificate.

    GetClientCertificateHostnames

    Query the domain name binding status of a custom issued CA certificate.

Intercept Authentication Failed Requests

You can intercept requests that fail client certificate authentication by configuring WAF rules.

Procedure

  1. In the ESA console, select Site Management and click either the Site Name or the Action column's Details.

  2. In the left navigation bar, click SSL/TLS > Client Certificate > Create Mtls Rule to access the custom rule configuration page.

    image

  3. Configure WAF custom rules.

    • Set the Verified Client Certificate to image.png.

    • Enter the domain name you want to intercept in the Hostname field.

      Important

      Be sure to configure the hostname condition. Otherwise, all requests that do not perform client certificate authentication or fail client authentication will be intercepted.

    image

  4. Set the Action to Intercept, or configure the Action according to your needs for other actions.

    image

  5. Click Confirm to complete the addition of the rule.

    Once the rule is added, all requests to the domain names in the access rule will be intercepted and return a 403 status code if client certificate authentication is not performed or fails.