Documentation forWeb Performance Monitor

How WPM handles client certificates in recordings

A secure web server can be configured to refuse clients that do not have a proper client certificate from a trusted Certification Authority (CA). In such cases, the server asks the client to send its certificate before performing any requests.

If a client certificate is signed by a trusted CA, the server does not care what the client is. If the web server requests a client certificate, export the client certificate from the browser and place it in the local certificate store to be used for recording and playback.

Here is an overview about how WPM handles client certificates:

  1. If a page in a recording requests a client certificate, a list of local client certificates appears.
  2. The user selects a certificate and the name, issuer, and other identification data is saved in the recording as an authentication binding. The certificate itself is not stored.
  3. During playback, the recorder or player handles certificate requests by matching existing local certificates with certificate authentication bindings stored in the recordings based on the CN (CommonName) property.
  4. The client certificate must already be present and available on the remote system.

  5. If a matching certificate is found, WPM sends it to the page. If a matching certificate is not found, WPM cancels the request and the server that requested certificate authentication responds with an Access Denied message.

To learn more, see Web Performance Monitor - Client Certificate Authentication in THWACK.