_haproxy_client_cert_validation.html.md.erb

To configure HAProxy to handle client certificates, select one of the following options in the **HAProxy behavior for client certificate validation** field:
 	* **HAProxy does not request client certificates:** This option requires mutual authentication, which makes it incompatible with **TLS termination point** option **HAProxy**. HAProxy does not request client certificates, so the client does not provide them and no validation occurs. This is the default configuration.
 	* **HAProxy requests but does not require client certificates:** The HAProxy requests client certificates in TLS handshakes and validates them when presented, but does not require them. This option is required if you want to enable mutual TLS app identity verification and TLS is terminated for the first time at HAProxy.
 	<p class="note warning"><strong>Warning:</strong> Upon upgrade, PAS fails to receive requests if your load balancer is configured to present a client certificate in the TLS handshake with HAProxy but HAProxy has not been configured with the certificate authority used to sign it. To mitigate this issue, select <strong>HAProxy does not request client certificates</strong> or configure the HAProxy with the appropriate CA.</p>