On my list actually, as I needed this last week myself. :) Will look into this soon!

Great news. Thank you.

98 adds this feature

That PR is now merged, and with 0.7.1, Caddy supports client authentication. As noted from the conversation in #98, some users would like the ability to specify individual client certs rather than just root CAs.

I'm not sure how to do this without dropping down to the transport layer, and I'm not sure if I'm ready to take the plunge yet. Anyone else is welcome to look into this if they want to.

As a workaround -- and this could be inconvenient if your PKI is already mature -- I've found it quite workable if I am my own CA and issue certs only for myself (or very trusted people, as needed), then add my own root CA to the ClientAuth. No chaining/concatenating required. It just means that every individual is their own CA... but it works, and outside of the big-time browser/SSL certificates, it works pretty well.

I will close this until there is more demand to specify client certificates and if there is a feasible way to implement this feature.

Hi! I just discovered Caddy and this is something that I would need, so I have a few questions:
1) Is it possible to enforce checking per-url?
2) How can I check the certificate, i.e. does Caddy send request parameters or something?

Hey @boghison - I don't think (1) is possible right now, given that Go's standard client auth implementation is pretty simple, just checking that the client's certificate is signed by one of the root CAs.

As for (2) I'm not really sure I understand the question. What do you mean by "check the certificate" and "request parameters"?

@mholt Well, for example, checking the DN name to tailor information to a specific user, so this info is sent as request parameters for the CGI to process.

No, that's not supported, but pull requests are welcome!

Following here.

Caddy with client certificate auth and example how to setup would be interesting.

I will close this until there is more demand to specify client certificates and if there is a feasible way to implement this feature.

I would definitely like to see this. I assume you're referring to validating the CNs as issued? Assuming Go is cooperative, that seems easiest. I would definitely prefer to require '[email protected]' rather than a cert file path.

Track #1375 - the last feature to take full advantage of Go 1.8 was improved client authentication which I never got around to implementing. It's a #Hacktoberfest issue :wink:

Got it. Thanks!