Client-Cert-Chain
The HTTP Client-Cert-Chain request header carries the certificate chain used to validate the client certificate when a reverse proxy terminates mutual TLS and forwards the request to an origin server.
Usage
When a reverse proxy handles mutual TLS (mTLS) Authentication and passes the client certificate to the origin server using Client-Cert, the origin might need the full certificate chain to verify the certificate against a root certificate authority. The Client-Cert-Chain header provides this chain.
The header carries certificates in the validation path, starting with the certificate signing the client certificate and continuing through any intermediate certificates, but excluding the root certificate and the end-entity client certificate itself. The end-entity certificate travels separately in the Client-Cert header. This separation keeps certificate data organized and prevents redundant transmission of the client certificate.
Each certificate in the chain is base64-encoded as a
Structured Field Byte Sequence (:base64data:) and
separated from the next by a comma and space. The
certificates appear in the order needed for
validation, with the issuer of the client certificate
first.
The Client-Cert-Chain header appears only when Client-Cert is also present. A proxy sending the chain without the client certificate violates the specification. The proxy must remove any Client-Cert-Chain header from the incoming request before adding its own value to prevent client forgery.
Values
Certificate chain list
The value is a comma-separated list of certificates, each encoded as a Structured Field Byte Sequence (base64 with colon delimiters). Each certificate is in DER format before encoding. The certificates appear in validation order, with the certificate issuing the client certificate appearing first, followed by any intermediate certificates in the chain. The root certificate and the end-entity client certificate are excluded.
Example
A reverse proxy terminates mTLS and forwards both the client certificate and the validation chain to the origin server. The Client-Cert-Chain header contains two intermediate certificates in Structured Field Byte Sequence format (base64). The origin server uses these to verify the client certificate against its trusted root certificate authority.
Client-Cert: :MIIBqDCCAU6gAwIBAgIBBzAKBggqhkjOPQQDAjA6MRswGQYDVQQK
DBJMZXQncyBBdXRoZW50aWNhdGUxGzAZBgNVBAMMEkxBIEludGVybWVkaWF0ZSBD
QTAeFw0yMDAxMTQyMjU1MzNaFw0yMTAxMjMyMjU1MzNaMBIxEDAOBgNVBAMMB2Ns
aWVudDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATx4ECEj5vJzAOc4WEuAQFp
yqZsQvxcpCPDPdPV6sn7SLmyNUFGGVaeMbkA1VjBCdmMR5zjwNBRUmzLJcNmBmcR
o18wXTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSKAUUTbJWvY2RGVlbCzUUMR0ry
fDAOBgNVHQ8BAf8EBAMCA6gwHgYDVR0lBBcwFQYIKwYBBQUHAwIGCWCGSAGG-EIE
ATAKBggqhkjOPQQDAgNIADBFAiEAvO3h0K4BqJvvlqEVPzH-zpTGfEPPn2vY-SOK
n2j4pCYCIH-J3IvVD-dJdJ-GCLzRRhZ9Vg8ZfGxJZhQVQjsKfmk3:
Client-Cert-Chain: :MIIBPzCB5qADAgECAgEKMAoGCCqGSM49BAMCMBIxEDAOBg
NVBAMMB1Jvb3QgQ0EwHhcNMjAwMTA5MjI1NTMzWhcNMzAwMTI4MjI1NTMzWjA6
MRswGQYDVQQKDBJMZXQncyBBdXRoZW50aWNhdGUxGzAZBgNVBAMMEkxBIEludGVy
bWVkaWF0ZSBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKX7GwPUyjLnkJQB
8nzQOI0Wbi0nKxhK63dzGJ0lO-1WaBVjZPRKNlzK5-lJ7qQJXoNj9WqrKaIaAoGg
mFzIuLajDzANMAoGCCqGSM49BAMCA0gAMEUCIQCxvp-LPnDqwTCZKR87l9-4P1bR
p8w-lHCUO3XhPF9u7AIgR7kDc2Tq0A0fRlkLPZQaXSPQXPQxaGDQN5PzLdHmVLI:,
:MIIBWjCCAQGgAwIBAgIBDTAKBggqhkjOPQQDAjASMRAwDgYDVQQDDAdSb290IENB
MB4XDTIwMDEwOTIyNTYyMFoXDTMwMDEyODIyNTYyMFowOjEbMBkGA1UECgwSTGV0
J3MgQXV0aGVudGljYXRlMRswGQYDVQQDDBJMQSBJbnRlcm1lZGlhdGUgQ0EwWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAASl-xsD1Moy55CUAfJ80DiNFm4tJysYSut3
cxidJTvtVmgVY2T0SjZcyufpSe6kCV6DY-VqqymiGgKBoJhcyLi2ow8wDTAKBggq
hkjOPQQDAgNHADBEAiBL8Vq6bVhZ7pNfOhJuHcQbDQJdFVJdElTtCXRLqZRJZgIg
RrJ7lU3lPjTVVKvLcMQXlnPqPgmKLh5CJfp0MHwsWqs:
The origin server reconstructs the certificate path from the Client-Cert header and the chain in Client-Cert-Chain. The validation walks from the end-entity certificate through each intermediate certificate to confirm the chain links to a trusted root certificate authority.
Takeaway
The Client-Cert-Chain header enables reverse proxies to pass the certificate validation chain from mTLS connections to origin servers, excluding the end-entity certificate and root certificate, using the Structured Field Byte Sequence format (base64).