Skip to main content

2.3. Client-Cert-Chain HTTP Header Field

2.3. Client-Cert-Chain HTTP Header Field

In the context of a TLS terminating reverse proxy deployment, the proxy MAY make the certificate chain available to the backend application with the Client-Cert-Chain HTTP header field.

Client-Cert-Chain is a List (Section 3.1 of [STRUCTURED-FIELDS]). Each item in the List MUST be a Byte Sequence encoded as described in Section 2.1. The order is the same as the ordering in TLS (as described in Section 4.4.2 of [TLS]).

Client-Cert-Chain MUST NOT appear unless Client-Cert is also present, and it does not itself include the end-entity certificate that is already present in Client-Cert. The root certificate MAY be omitted from Client-Cert-Chain, provided that the target origin server is known to possess the omitted trust anchor.

The Client-Cert-Chain header field is only for use in HTTP requests and MUST NOT be used in HTTP responses. It MAY have a list of values or occur multiple times in a request. For header compression purposes, it might be advantageous to split lists into multiple instances.

Figure 3 in Appendix A has an example of the Client-Cert-Chain header field.

Last updated on