Create a client certificate
Learn how to create a client certificate for NetFoundry Frontdoor. Upload an existing certificate or generate a new one by submitting a certificate signing request (CSR), then configure the share to reference the certificate and test the connection to verify secure access.
Step 1: Submit or generate the client certificate
Choose between uploading an existing certificate or generating from a certificate signing request (CSR).
Option A: Upload an existing certificate
Choose this option if you already have a trusted client certificate (in PEM format) that was issued by a third-party certificate authority.
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "my-api-client",
"type": "CERTIFICATE",
"value": "-----BEGIN CERTIFICATE-----\nMIIB..."
}' \
"https://gateway.production.netfoundry.io/frontdoor/$FRONTDOOR_ID/client-certificates"
Option B: Generate from a CSR using a bearer token
Choose this method to have NetFoundry Frontdoor issue and sign a new client certificate for a locally generated private key, authorizing the request with a full access bearer token.
# First, create a CSR locally
openssl req -new -key private.key -out certificate.csr
# Then submit to Frontdoor
curl -X POST \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "my-generated-cert",
"type": "CSR",
"value": "-----BEGIN CERTIFICATE REQUEST-----\nMIIB..."
}' \
"https://gateway.production.netfoundry.io/frontdoor/$FRONTDOOR_ID/client-certificates"
Option C: Generate from CSR using a certificate request token
Choose this method to securely request a new certificate using a locally generated CSR and a specific, single-use certificate request token, which avoids exposing a full bearer token.
# First, create a CSR locally
openssl req -new -key private.key -out certificate.csr
# Then submit to Frontdoor
curl -X POST \
-H "Content-Type: application/json" \
-d '{
"type": "CSR",
"value": "-----BEGIN CERTIFICATE REQUEST-----\nMIIB..."
}' \
"https://gateway.production.netfoundry.io/frontdoor/$FRONTDOOR_ID/client-certificates/token/67890abcde"
Step 2: Configure your share
Reference the client certificate in your share configuration for authentication requirements.
Step 3: Test the connection
Verify that your client can successfully authenticate using the certificate:
# Test with curl
curl -X GET \
--cert client.crt \
--key client.key \
https://your-frontend.example.com/api/test
# Test certificate validation
openssl s_client -connect your-frontend.example.com:443 -cert client.crt -key client.key
Troubleshooting
Certificate validation errors:
- Verify certificate format (PEM encoding)
- Check certificate expiration dates
- Ensure certificate chain is complete
- Validate key usage extensions
Connection failures:
- Confirm private key matches certificate
- Check certificate is properly referenced in share
- Verify client is presenting certificate correctly
- Review firewall and network connectivity
Performance concerns:
- Monitor TLS handshake times
- Consider certificate caching strategies
- Evaluate impact of certificate validation
- Optimize certificate chain length
Next steps
- Create shares that use client certificates.
- Review the client certificates API guide.
- Learn about auth providers.