What is a client certificate authentication ? (SSL/TLS Web)


Client certificate authentication is a certification based authentication mechanism where the client identifies itself to the server by sending a signed certificate.

A Client certificate is also known as:

  • end-user certificate.
  • device certificate

The server just needs to verify the certificate to authenticate the client.

This is part of the SSL handshake.

Because a client certificate is a keystore that contains

it's also known as a identity certificate

Because of the private key, it should be passphrase protected and is therefore generally stored in a p12 keystore

In the certificate usages (extended), this authentication is also known as the SSL/TLS Web Client Authentication or client authentication for short.

Usage: Two-factor

Multi-Factor Authentication (Mfa / 2fa): You can configure an application (such as a web site) so that any user wishing to connect is required to provide:


The configuration is the inverse of the server one.

In a server configuration,

  • the server has:
    • its signed certification
    • and its own private key
  • the client has the trusted certificate authority.

while in a client configuration:

  • the client has:
    • its signed certification
    • and its own private key
  • the server has the trusted certificate authority.

Nginx Example

How to revoke a client certificate ?

A revoked certificat is a certificat that is in a list containing all revoked certificat. See the following page for revocation management: How to revoke a certificat with the Certificate Revocation List (CRL) ?

Certificate Data

A client certificate has the following extensions:

How to test / debug / check a client certificate ?

Powered by ComboStrap