Client-to-Imperva mTLS

To support client certificates, upload your client CA certificate to Imperva and configure your websites to use it.

Client certificates provide an additional layer of security. They are used to verify the client's identify to a server, ensuring that communication occurs over a secure and trusted connection.

The Client to Imperva (mTLS) feature supports mutual authentication between your end users and Imperva.

Note:  

  • Client certificates are supported for websites configured in Imperva for SSL and using either a dedicated site certificate provided by Imperva, or a custom certificate.
  • Client certificates are supported for SNI clients only. We do not support client certificates for non-SNI clients.
  • Client certificates are supported per domain, not per URL.

To learn more about Imperva client certificate support, see Client Certificate Support.

Overview

The growing distribution of mobile apps and electronic IDs means you may need to implement a higher level of protection, such as two-factor authentication.

In addition, IoT services may rely on embedded client certificates on end devices to validate device authenticity.

For example, Imperva client certificate support enables you to:

  • Apply a second factor of authentication
  • Validate device authenticity and avoid forgery
  • Validate the authenticity of the mobile app used to access your website

Configuring client certificate support for a website includes the following steps:

  1. Upload a CA certificate to your account.
  2. Assign the certificate to websites in your account.
  3. Configure optional client certificate support settings for your websites.

Note:  

  • When enabling Client to Imperva mTLS, it can take up to 10 minutes for changes to take effect.

  • When you first assign a certificate to a website, the client certificate is not required by default, and traffic is still permitted to access the site without presenting the client certificate. To require the client certificate for the TLS handshake, see Configure client certificate support settings .

  • mTLS is enforced only for HTTPS connections. If your application supports HTTP traffic, a connection is allowed without validation of the client identity. To enforce mTLS for all traffic to the app, redirect all HTTP traffic to HTTPS using the Redirect from HTTP to HTTPS option located in Website Delivery Settings or the HSTS settings located on the SSL/TLS Settings page.

Guidelines:

  • The certificate must be in PEM format. Supported file extensions include .pem, .crt, and .cer.
  • If more than one certificate is used for signing, they should be concatenated.
  • We recommend that the file you upload contains only one certificate.
  • You can add up to 1000 CA certificates to your account.
  • You can assign up to 120 certificates per site.

Permissions:

By default, the account admin user can manage client CA certificates for the account and websites in the account. Other users can be granted the following permissions as required:

  • Manage client CA certificates for account
  • Manage client CA certificates for site
  • View client CA certificates

The Client to Imperva (mTLS) Certificates pages are displayed only to users with the appropriate permissions.

Open the Client to Imperva (mTLS) Certificates configuration pages

The Client to Imperva (mTLS) Certificates pages enable you to manage the certificates for your account and websites.

Account-level. The account-level Client to Imperva (mTLS) Certificates page enables you to upload your client CA certificates and then assign them to websites in your account.

  1. On the top menu bar, click Application.
  2. On the sidebar, click SSL/TLS > Client to Imperva (mTLS).

Website-level. The Client to Imperva (mTLS) Certificates page located within settings for a specific website enables you to view the certificates assigned to the website, or assign a certificate from the account to the website.

  1. On the top menu bar, click Application and then select a website.

  2. Under SSL/TLS, click Client to Imperva (mTLS).

Upload a CA certificate to your account

Upload the CA certificate that is used to sign all client certificates. Then assign it to websites in your account.

To upload a certificate, open the account-level Client to Imperva (mTLS) Certificates page and click Upload New.

Option Description
Uploaded file The file name of the uploaded certificate file.
Name Give a descriptive name to the certificate.
Assign to websites

Assign this certificate to the selected websites.

The drop-down includes all websites in the account that are configured for SSL and using a custom certificate.

Assign a certificate to a website after upload

To assign a certificate to websites after the upload process, or change the assigned websites, do one of the following:

  • On the account-level Client to Imperva (mTLS) Certificates page, click More > Edit for a certificate and modify the list of assigned websites.

  • On the website-level Client to Imperva (mTLS) Certificates page, click Assign and select a certificate from the drop-down.

Configure client certificate support settings

Configure client certificate support settings for a website on the website-level Client to Imperva (mTLS) Certificates page, under Configuration Settings.

Note: These settings apply to all certificates assigned to the website.

View certificate details

You can view details for client CA certificates on the Client to Imperva (mTLS) Certificates page in your account or website.

  • The account-level Client to Imperva (mTLS) Certificates page displays all client CA certificates uploaded to your account.
  • The website-level Client to Imperva (mTLS) Certificates page displays all client CA certificates assigned to the website.

Send client certificate details to origin server

In this section:

Send client certificate details to origin server

If client authentication by the website is also required, Imperva can send the authentication information to your origin server in a request header. For details, see Configure client certificate support settings above.

Sending additional client parameters to the origin server

If you need to pass additional client parameters to the origin server, and your service plan includes Delivery Rules, you can create delivery rules and use the following variables. If not, the Support team can implement it for you.

For more details on using these variables in delivery rules, see Create Rules.

Convert header details into a certificate object

After you receive the client certificate information, you can convert it into a certificate object.

Here is an example using ASP.NET code:

byte[] clientCertBytes = Convert.FromBase64String(certHeader);
certificate = new X509Certificate2(clientCertBytes);

Here is an example using Java code:

byte[] clientCertificateBytes = Base64.getDecoder().decode(certHeader);
certificate = CertificateFactory.getInstance("X.509").generateCertificates(new ByteArrayInputStream(clientCertificateBytes))

Client certificate validation using a CRL

Once client certificate support is enabled for your site, you can upload a Certificate Revocation List (CRL) file to verify whether certificates are valid and trustworthy. For details, see Upload a CRL.

Certificate Manager API

You can also upload and manage client certificates and CRLs via the API. For details, see Certificate Manager API.