_gorouter_client_cert_validation.html.md.erb

To configure Gorouter behavior for handling client certificates, select one of the following options in the <b>Router behavior for Client Certificate Validation</b> field. 
  <%= image_tag 'networking_router_client_cert_validate.png' %>
  <ul>
   <li> <b>Router does not request client certificates.</b> This option is incompatible with the XFCC configuration options <b>TLS terminated for the first time at HAProxy</b> and <b>TLS terminated for the first time at the Router</b> in PAS because these options require mutual authentication. As client certificates are not requested, client will not provide them, and thus validation of client certificates will not occur.</li>
   <li> <b>Router requests but does not require client certificates.</b> The Gorouter requests client certificates in TLS handshakes, validates them when presented, but does not require them. This is the default configuration.</li>
   <li> <b>Router requires client certificates.</b> The Gorouter validates that the client certificate is signed by a Certificate Authority that the Gorouter trusts. If the Gorouter cannot validate the client certificate, the TLS handshake fails.</li>
  </ul>
  <p class="note warning"><strong>WARNING:</strong> Requests to the platform will fail upon upgrade if your load balancer is configured with client certificates and the Gorouter does not have the certificate authority. To mitigate this issue, select <strong>Router does not request client certificates</strong> for <strong>Router behavior for Client Certificate Validation</strong> in the <strong>Networking</strong> pane.</p>