This plugin authenticate user based on content of client certificate provided by reverse proxy or web server. The certificate is picked up from _SERVER variable. Either SSL_CLIENT_CERT or any HTTP header can be configured as source of certificate. This plugin expects certificate in PEM format. The BEGIN/END CERTIFICATE fields are optional.

The certificate validation must be performed by web server or reverse proxy. Certificates delivered to this plugin are assumed valid.

The following table shows mapping between certificate fields and user info.

If the certificate is present and all of the above fields are not empty, user is logged in. New users are created on first login - random password is generated for consistency. authclientcert uses authplain as backend storage.

Install the plugin using the Plugin Manager and the download URL above, which points to latest version of the plugin. Refer to Plugins on how to install plugins manually.

Disable anonymous access and self registration

Select plugin as a authentication backend

Configure reverse proxy to validate and deliver certificate in X_SSL_CLIENTCERT_BASE64 header

Configure name of http header where certificate is delivered HTTP_X_SSL_CLIENTCERT_BASE64

Configure name of the group where new users are assigned.

• 2019-02-15
  • Initial release

This plugin does not work with authchained.

The selection of the fields and mapping is hard coded to match content of a smartcard I have. It is very likely that the selection does not match your cetificate. The easiest way to adjust it: edit plugins auth.php. Long term it make sense to capture most common cases as configuration. Please, let me know about your needs by opening an issue at Github, or even better create a PR.