Skip to content

GEP-91: Client Certificate Validation for TLS terminating at the Gateway Listener

  • Issue: #91
  • Status: Provisional

(See definitions in [GEP Status][/contributing/gep#status].)


This GEP proposes a way to validate the TLS certificate presented by the downstream client to the server (Gateway Listener in this case) during a TLS Handshake Protocol, also commonly referred to as mutual TLS (mTLS).


  • Define an API field to specify the CA Certificate within the Gateway Listener configuration that can be used as a trusted anchor to validate the certificates presented by the client.


  • Define other fields that can be used to verify the client certificate such as the Certificate Hash or Subject Alt Name.