Allow setting the name of SSL certificate header (currently SSL_CLIENT_CERT) when EJBCA behind proxy

[akielbas]

Is SSL_CLIENT_CERT hardcoded somewhere in EJBCA? Is it possible to make it configurable?

I'm interested in perhaps running EJBCA behind AWS Application Load Balancer which supports mTLS but passes the client certificate as X-Amzn-Mtls-Clientcert (per documentation).

EDIT: After submitting this I found this thread on the old sourceforge site. Perhaps something has changed since then? Would rather avoid running an intermediate proxy to rewrite header name.

[primetomas]

Nothing has changed. EJBCA itself does not code any dependency on headers.
To my knowledge, EJBCA SaaS uses AWS load balancer so somehow this is possible.
https://docs.keyfactor.com/ejbca-saas/latest/aws/

[akielbas]

Looks like this might be possible now from ELB side:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/header-modification.html

[akielbas]

I spoke too soon, I think.

I am able to get the right header name, but I'm unable to get it to work directly because the ELB header is url encoded which WildFly does not seem to support.

Reproduced this with nginx:

• Works: Using $ssl_client_cert variable. However docs note that the existing variable is deprecated and we should use $ssl_client_escaped_cert (urlencoded version).
• Fails: Using $ssl_client_escaped_cert.

I've opened a WildFly enhancement.

EDIT:
In case anyone else tries to get this to work.

I did end up having a small nginx container rewrite the header name and the contents with perl module (had to decode URL encoding and also add spaces on each line for the old multiline HTTP header support). Here is the nginx.conf hack:

load_module /etc/nginx/modules/ngx_http_perl_module.so;

worker_processes  auto;

events {
    worker_connections  1024;
}

http {
    perl_set $clientcert '
    sub {
        my $r = shift;
        my $in_cert = $r->header_in("X-Amzn-Mtls-Clientcert");

        # urldecode
        $in_cert =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg;

        # indent all the lines except the first
        $in_cert =~ s/^(?!.*\A).*/    $&/gm;

        # remove trailing newline
        $in_cert =~ s/\n$//; 

        return $in_cert;
    }
    ';

    server {
        listen 8082;
        location / {
            proxy_set_header SSL_CLIENT_CERT $clientcert;
            proxy_set_header X-Amzn-Mtls-Clientcert '';
            proxy_set_header Host $http_host;
            proxy_pass http://ejbca:8082;            
        }
    }
}

I used it with nginx:alpine-perl container. If someone has a more elegant way of doing this I'm open to suggestions.