Expand description
mTLS client certificate authentication for EST endpoints.
RFC 7030 §3.3.2: EST servers that support certificate-based client authentication extract the client certificate from the TLS session and validate it against the EST-dedicated truststore.
This module handles:
- Certificate extraction from the TLS session (request extension)
- Validation against the EST truststore (separate from admin truststore, per RHELBU-3536 R18)
- Subject DN and SAN extraction for identity matching
- EKU validation (id-kp-cmcRA for
/fullcmc, per RHELBU-3536 R15) - OCSP/CRL revocation checking (RHELBU-3536 R21)
- POP linking: extracting TLS client cert identity for CSR subject matching
Structs§
- Peer
Certificate - DER-encoded client certificate injected into request extensions by the TLS accept loop.
Functions§
- try_
extract_ mtls - Attempt to extract and validate an mTLS client certificate.
- validate_
cert_ attributes - Validate certificate attribute matching against configured patterns.
- validate_
pop_ linking - Validate that the mTLS client certificate identity matches the CSR subject.
- validate_
pop_ linking_ simple - Validate that the mTLS client certificate subject matches the CSR subject using simple string comparison (legacy API).