Skip to content

TLS client authentication


  • The server needs to authenticate the client using TLS client authentication

Configuration steps

  • Step 1. Generate root certificate
openssl genrsa -out root.key 2048

openssl req -new -x509 -days 365 -key root.key -out root.crt
  • Step 2. Create a client certificate signing request
openssl genrsa -out client.key 2048

openssl req -new -out client.csr -key client.key  
  • Step 3. Generate client certificate
echo "extendedKeyUsage = clientAuth" > openssl.cnf

openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA root.crt -CAkey root.key  -days 365  -extfile openssl.cnf
  • Step4. Configure layer 4 load balancing service. In this example, HAproxy is used as the layer 4 load balancing service, and VIP is passed to BFE using PROXY protocol. HAproxy can be installed through "apt install haproxy" on Ubuntu system. For more details, see

Configuration file(haproxy.cfg) example:


        mode    tcp
        balance leastconn
        timeout client      3000ms
        timeout server      3000ms
        timeout connect     3000ms

frontend fr_server_http
        default_backend bk_server_http

backend bk_server_http
        server srv1 maxconn 2048 send-proxy

frontend fr_server_https
        default_backend bk_server_https

backend bk_server_https
        server srv1 maxconn 2048 send-proxy

Run HAproxy

haproxy -f haproxy.cfg
  • Step 5. Configure BFE. Copy root.crt to tls_conf/client_ca directory(note: the suffix of root certificate should be ".crt").
Layer4LoadBalancer = "PROXY"

clientCABaseDir = tls_conf/client_ca

Modify conf/ and set "ClientAuth" to true and "ClientCAName" to name of the root certificate.

    "Version": "12",
    "DefaultNextProtos": [
    "Config": {
        "example_product": {
            "VipConf": [
            "SniConf": null,
            "CertName": "",
            "NextProtos": [
            "Grade": "C",
            "ClientAuth": true,
            "ClientCAName": "root"

Run BFE.

./bfe -c ../conf
  • Step 6. Verify configuration
openssl s_client -connect -cert client.crt -key client.key -state -quiet