Can Yarp Dynamically Set the handler.SSLOptions.ClientCertificate on each call Yarp sends downstream?

[caslDev]

Our destination app needs the client certificate from the user accessing the app. If we set the certificate in the handler.SslOptions.ClientCertificates, it works perfectly. The problem Is, only the certificate that was that was configured during the initialization is sent. We need to be able to send the certificate that was sent in from the caller to the destination app. When we use the builderContext.AddClientCertHeader(headerName: "ssl.ClientCertificate"), the certificate is sent, but the certificate is in the header and the downstream app cannot process.

Is there a way for Yarp to dynamically set the handler.SSLOptions.ClientCertificate certificate value with the certificate that was sent in from the app calling Yarp?

Thank you very much for your help!

[Tratcher]

AddClientCertHeader is the standard way to pass client certificates from a proxy to the app. You can't pass on a certificate via SSLOptions because you don't have the private key.

See this doc for configuring an app to consume the client cert from a header:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/certauth?view=aspnetcore-8.0#use-certificate-authentication-in-custom-web-proxies

[caslDev]

Hi Tratcher, thank you so much for taking the time to answer. I tried the AddCertificateForwarding before but never could get the certificate to be sent in the correct section of the call. I will try again however. Thank you again and have a nice day.

[Tratcher]

Yeah, it won't show up there unless you modify the app to read the header and set that field.

[caslDev]

Hi Tratcher,

Just curious, do you think there is anyway to configure HTTP Client so that it forwards the certificate on a per call basis like the AddClientCertHeader does? Maybe something like

builder.Services.AddReverseProxy()
    .ConfigureHttpClient((context, handler) =>
    {
        handler.SslOptions.ClientCertificates = new X509Certificate2Collection( builderContext.AddClientCertHeader ());
    })

The handler.SslOptions.ClientCertificates = new X509Certificate2Collection(clientCert) code works perfectly, but the only problem is it only sends 1 certificate that is configured. It does not relay the cert from the calling app.

Just thought I would ask your thoughts. Thanks again for sharing your expertise! Really is appreciated very much. Have a great day!

[Tratcher]

It's not possible to forward a client cert that way, you don't have the private key. That's a TLS limitation/protection, not YARP or HttpClient issue. Forwarding via header is the only option.

[caslDev]

Hi Tratcher,
Thank you again for your help. Really appreciate it.