How and when to use ClientCert in CFHTTP tag?

Question

The ColdFusion documentation is weak on how and when to use it. What does it do? How does one use it?

Update: it seems to be broken, as outlined in Washing Client Certs in ColdFusion with SOAP – Part 2.

problems with CFHTTP handling SSLv3 sessions

Answer 1

Client certificates are a bit of a pain because of the overhead involved in using it.

As Jura says, you'll need a target server that uses client certificates as a mechanism for authentication. This server side piece does not need to be CF-based. The web server (IIS, for example) would be set up to require this. This is part of the SSL/TLS protocol, not specific to any language at the application level.

You would use this if the server you are requesting a resource from requires client certificates. The administrator of that server would need to give you the client certificate and private key ahead of time. As mentioned by user349433, this is commonly a PKCS12 (.p12 or .pfx) file.

The server will validate that the client certificate is "trusted" and if it is, it will allow the TLS/SSL handshake to proceed, and CF will be able to write the HTTP request on top of it.

The use case today is to prevent man-in-the-middle attacks, but because of the overhead involved with certificate distribution, revokation, etc. it's not terribly common.

If you want to know more about it, check out TLS 1.1 specification:

https://www.rfc-editor.org/rfc/rfc4346 https://www.rfc-editor.org/rfc/rfc4346#section-7.4.6

Answer 2

You are using client certificate in case if the target server uses that mechanism for authentication. You'll need to obtain specific client certificate from the service provider in order to be able to connect to the service. It's been used for some internet banking applications back in days I believe. Not sure what is the use case today for it, may be distributed corporate networks where you need to connect to corporate server over internet in a highly secure manner?