Skip to main content
Skip table of contents

Client Certificates profiles (API)

Client Certificates parameters

Use this parameter in the JSON structure when you apply the Client Certificates policy to the app with app-market/policy .



The data for customizing Client Certificates. The configurable data includes matching rules. The Client Certificates policy matches these hosts against the URL being visited to determine whether or not a client certificate is proposed.

Valid values: A file or a string in JSON format with host, port, and action keys. Rules are applied in the order they are created . All parameters are specified in a <name>:<value> pair.

  • host: Host pattern. Specify * for part of the hostname. For example, * matches or, but not; * matches as well as and 

  • port: Specify * to apply to any port on the host. If you leave port empty, it defaults to port 443 (HTTPS). Use *443 to match 443, 8443, and so on.

  • action: Use these options to specify whether the site is blocked or allowed:

    • useEnrollmentCertificate (Host White List): Sites allowed to receive the client certificates obtained during enrollment.

    • noCertificate (Host White List Exceptions): Sites blocked from receiving the client certificates obtained during enrollment. This list takes precedence over the Host White List.

Client Certificates API resources

To manage Client Certificates profiles, use these resources:

  • profile: Use type="client_certs" to create a Client Certificates profile. See example below.
  • profile/catalog/{policytype}: Use "client_certs" for "{policytype}". GET returns an array of details for all policy profiles of the specified type.
  • profile/{GUID}: Use the profile ID to specify a policy profile. GET returns details for the specified profile, PUT updates the details in the specified profile, and DELETE archives the profile.
  • settings/client-certs-default-profile (settings/{policytype}-default-profile): POST sets one of the Client Certificates profiles as the default. GET returns the GUID of the current default profile. DELETE archives the current default.

To retrieve details for the policy:

  • app-policy/{GUID}: Use the policy ID to specify a policy. GET returns details for the specified policy.
  • app-policy/code/{code}: Use POLICY_CODE_CLIENT_CERTS to specify the policy. GET returns details for the specified policy.

To secure apps with Client Certificates policy, use these resources:

Creating a Client Certificates profile

This example creates a Client Certificates profile with the profile API, specifying all options.


curl -k -v -L -b c.txt -c c.txt -X POST \
  -F name="TestProfile" \
  -F type="client_certs" \
  -F desc="Default Profile" \
  -F data="{\"clientCertsUrlMatchingRules\":[


{"message": "",
  "profiles": {
    "data": {
      "profile_data": "{\"clientCertsUrlMatchingRules\":[
      "profile_data_id": "be2c8009-f0d3-4709-b097-65d3ae370720",
      "profile_data_stamp": "2016-08-19 15:12:15.0"
    "profile_desc": "Default Profile",
    "profile_id": "98098be0-2efe-4cd2-a7cd-bb99a39219fa",
    "profile_name": "TestProfile",
    "profile_type": "client_certs",
    "profile_url": ""
  "status": "OK"

On this page

Related topics

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.