Home / Docs / Articles / Client Certificate Authentication

Client Certificate Authentication (Mutual TLS)

LPS supports mutual TLS (mTLS) authentication, allowing you to present a client certificate when connecting to APIs that require certificate-based identity verification. This is commonly used with API gateways, internal services, and environments that enforce two-way SSL.

How It Works

In standard TLS, only the server presents a certificate. With mutual TLS, the client also presents a certificate so the server can verify the client's identity. LPS handles this by attaching a client certificate file to outgoing requests.

Supported Certificate Formats

Extension Format Password Required
.pfx PKCS#12 Optional
.p12 PKCS#12 Optional
.pem Base64-encoded No
.cer DER or Base64-encoded No
.crt DER or Base64-encoded No

Note: For mTLS the certificate file must include the private key for authentication to work.

  • .pfx / .p12 bundle the certificate and private key together — recommended for mTLS.
  • .pem can contain both certificate and key in a single file, or just the certificate.
  • .cer / .crt usually contain only the public certificate (no private key).

Command-Line Usage

Use the --clientcertificatepath option to specify the path to your client certificate file:

lps --url https://www.example.com/vcc/ --clientcertificatepath .\cert.pfx

Options

  • --clientcertificatepath <path>: Path to the client certificate file (.pfx, .p12, .pem, .cer, .crt).
  • --clientcertificatepassword <password>: Password for the certificate file (if required).

Example with Password

lps --url https://www.example.com/vcc/ --clientcertificatepath .\cert.pfx --clientcertificatepassword MySecretPassword

YAML Script Usage

In YAML test scripts, configure client certificate authentication at the httpRequest level using clientCertificatePath and optionally clientCertificatePassword:

name: ClientCertificateTest
rounds:
- name: TestRound
  numberOfClients: 1
  arrivalDelay: 0
  iterations:
  - name: GraphQLRequest
    httpRequest:
      url: https://www.example.com/vcc/
      httpMethod: GET
      clientCertificatePath: .\cert.pfx
      clientCertificatePassword: No-access
    mode: R
    requestCount: 1

Key Attributes

Attribute Description
clientCertificatePath Path to the client certificate file — .pfx, .p12, .pem, .cer, or .crt (relative or absolute).
clientCertificatePassword Password to decrypt the certificate file. Required only if the file is password-protected (.pfx / .p12).

Notes

  • Supported formats: .pfx, .p12, .pem, .cer, .crt. For mTLS, .pfx or .p12 is recommended since they bundle the certificate and private key together.
  • Relative paths are resolved from the working directory where lps is executed.
  • The certificate is attached per-request based on the httpRequest configuration, allowing different iterations to use different certificates if needed.