forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path_gorouter_client_cert_validation.html.md.erb
6 lines (6 loc) · 1.23 KB
/
_gorouter_client_cert_validation.html.md.erb
1
2
3
4
5
6
To configure Gorouter behavior for handling client certificates, select one of the following options in the **Router behavior for client certificate validation** field:
* **Router does not request client certificates:** Client certificates are not requested, so the client does not provide them, and validation of client certificates does not occur. This option is incompatible with the **TLS termination point** options **HAProxy** and **Router** because these options require mutual authentication.
* **Router requests but does not require client certificates:** The Gorouter requests client certificates in TLS handshakes, validates them when presented, but does not require them. This is the default configuration.
* **Router requires client certificates:** The Gorouter validates that the client certificate is signed by a Certificate Authority that the Gorouter trusts. If the Gorouter cannot validate the client certificate, the TLS handshake fails.
<br/>
<p class="note warning"><strong>Warning:</strong> Requests to the platform fail upon upgrade if your load balancer is configured with client certificates and the Gorouter does not have the CA. To mitigate this issue, select <strong>Router does not request client certificates</strong>.</p>