How to use a client certificate at the invites page


We have an ‘invite only’ Discourse installation. When we send an invite, the invitee should only be able to accept the invitation when a certain client certificatie is present in the browser.

Any clues on how to achieve this?

Grtz Harmstra

1 Like

You need something like this to end up in your nginx configuration:

ssl_client_certificate /path/to/ca.pem;
ssl_verify_client on;

If it should just be present for invites, you will need to do this in a location block containing the invitation accept route.


Hi @michaeld,

Is it also possible to use a certificate field and save it to the user instance as a user field? So let’s say that we want to save the expiry date, can we do that?

This seems bizarrely complicated. What is your use case?


I agree that it is.

The use case is that there’s an organization here that does authentication of companies using those client certificates. We’re trying to create a Discourse instance where only those companies get access to it. Seems easy enough based on the nginx snippet provided by @michaeld.

In that certificate is also a company number, we’d like to get that number and make it available in the Discourse instance. That way the can easily find each other and they’re identifiable based on just their company number.

I hope it’s clear by now, if not, feel free to ask

1 Like

Wow. That sounds less silly than I’d have imagined!

Can you count on people from those companies to be using a company email address? That’d be much easier than a plugin that could read the certificate. You could even map it backward to the company number if that number is somehow very important.

You could pass the certificate to Discourse using a line like

proxy_set_header X-Cert-DN: $ssl_client_s_dn;

and then have some sort of plugin to read the value from the header.