Documentation forWeb Performance Monitor

How WPM handles client certificates in recordings

A secure web server can be configured to refuse clients that do not have a proper client certificate from a trusted Certificate Authority (CA). In such cases, the server asks the client to send its certificate before performing any requests.

If a client certificate is signed by a trusted CA, the server does not care what the client is. If the web server requests a client certificate, export the client certificate from the browser and place it in the local certificate store to be used for recording and playback.

Certificate authentication is not supported in FIPS mode. Navigation that requires certificate authentication will return Access Denied messages during playback.

Here is an overview about how WPM handles client certificates:

  1. If a page in a recording requests a client certificate, a list of local client certificates appears.
  2. The user selects a certificate and the name, issuer, and other data about the certificate is saved in the recording as an authentication binding. The certificate itself is not stored.
  3. During playback, the recorder or player handles certificate requests by matching existing local certificates with certificate authentication bindings stored in the recordings based on the CN (CommonName) property.
  4. The client certificate must already be present and available on the remote system.

  5. If a matching certificate is found, WPM sends it to the page. If a matching certificate is not found, WPM cancels the request and the server that requested certificate authentication responds with an Access Denied message.

To learn more, see: