New Transparent capture is in preview. Record every app's traffic with no proxy configuration, on Windows, macOS and Linux. Learn more

setClientCertificateAction Action

Attach a client certificate to outbound exchanges so Fluxzy can complete an mTLS handshake on behalf of the client.

Mutual TLS is a common requirement for internal APIs, partner integrations, and financial back ends. Fluxzy can intercept this traffic and complete the handshake with a real client certificate on your behalf, which makes it possible to debug requests that you could otherwise only observe at the application layer. The setClientCertificateAction is the entry point for this workflow: it selects a certificate, hands it to the TLS stack, and lets the rest of your rule pipeline operate as usual.

When to use this action

Reach for setClientCertificateAction whenever an upstream server requires mTLS and the original client cannot present a certificate, or when you want Fluxzy to substitute one for testing and observability purposes. Typical situations include:

  • Inspecting traffic between a mobile app and an enterprise API that enforces mTLS.
  • Running automated tests against an internal service that authenticates clients with a certificate.
  • Bridging a development tool that does not support client certificates with a production system that does.

The action runs on the onAuthorityReceived scope, so the certificate is selected as soon as Fluxzy knows the destination host. Combine it with a hostFilter or authorityFilter to scope the certificate to a specific upstream.

Real world examples

Use a certificate from the local user store by thumbprint

Pick a certificate already installed in the current user store using its hex thumbprint. This is the most portable option on Windows and macOS.

rules:
- filter:
    typeKind: HostFilter
    pattern: api.internal.example.com
  actions:
  - typeKind: SetClientCertificateAction
    clientCertificate:
      retrieveMode: FromUserStoreThumbPrint
      thumbPrint: 9b74a1d3f8e2c47c0b6e2bb4f6c5c2e1a7f0d3b9

Load a certificate from a PKCS#12 file

Useful in containers and CI runners where the user store is not available. Keep the password in an environment variable rather than the file itself.

rules:
- filter:
    typeKind: AnyFilter
  actions:
  - typeKind: SetClientCertificateAction
    clientCertificate:
      retrieveMode: FromPkcs12
      pkcs12File: /etc/fluxzy/client.p12
      pkcs12Password: changeit
    alwaysSendClientCertificate: false

Force the certificate to be sent even if the server does not request it

Some misconfigured servers expect a client certificate without sending a CertificateRequest. Set alwaysSendClientCertificate to true to push the certificate during the handshake.

rules:
- filter:
    typeKind: AuthorityFilter
    host: legacy.example.com
    port: 8443
  actions:
  - typeKind: SetClientCertificateAction
    clientCertificate:
      retrieveMode: FromUserStoreSerialNumber
      serialNumber: 00a1b2c3d4e5f6
    alwaysSendClientCertificate: true

Reference

setClientCertificateAction

Description

Add a client certificate to the exchange. The client certificate will be used for establishing the mTLS authentication if the remote request it. The client certificate can be retrieved from the default store (my) or from a PKCS#12 file (.p12, pfx).
The certificate will not be stored in fluxzy settings and, therefore, must be available at runtime.

Evaluation scope

Evaluation scope defines the timing where this filter will be applied.

onAuthorityReceived This scope denotes the moment fluxzy is aware the destination authority. In a regular proxy connection, it will occur the moment where fluxzy parsed the CONNECT request.

YAML configuration name

setClientCertificateAction

Settings

The following table describes the customizable properties available for this action:

Property Type Description DefaultValue
clientCertificate.retrieveMode fluxzyDefault | fromUserStoreSerialNumber | fromUserStoreThumbPrint | fromPkcs12 Retrieve mode
clientCertificate.serialNumber string Serial number of a certificate available on user store
clientCertificate.thumbPrint string Thumbprint of a certificate available on user store (hex format)
clientCertificate.pkcs12File string Path to a PKCS#12 certificate
clientCertificate.pkcs12Password string Certificate passphrase when Pkcs12File is defined
alwaysSendClientCertificate boolean false

Example of usage

The following examples apply this action to any exchanges

Use a certificate with serial number xxxxxx retrieved from for local user store to establish mTLS authentication.

rules:
- filter:
    typeKind: AnyFilter
  actions:
  - typeKind: SetClientCertificateAction
    clientCertificate:
      retrieveMode: FromUserStoreSerialNumber
      serialNumber: xxxxxx

.NET reference

View definition of SetClientCertificateAction for .NET integration.

See also

The following actions are related to this action:

Frequently asked questions

Does Fluxzy store the certificate or its password?

No. Fluxzy reads the certificate at runtime from the user store or the PKCS#12 file path you provide. The credential is never persisted in the rule file output.

What happens if the upstream server does not actually request a client certificate?

Nothing, unless alwaysSendClientCertificate is set to true. By default Fluxzy waits for a CertificateRequest from the server before presenting the certificate.

Can I use the same rule for several hostnames?

Yes. Pair setClientCertificateAction with a FilterCollection or a regex based hostFilter to cover several destinations with a single configuration.

Why does my action fail with a private key error on Linux?

The PKCS#12 file must include the private key and be readable by the user running Fluxzy. Re export the bundle with openssl pkcs12 -export -inkey key.pem -in cert.pem -out client.p12 and verify file permissions.

Learn more about Fluxzy rules

Rule file syntax reference Importing YAML rules into Fluxzy Desktop Using rule files with Fluxzy CLI
Browse all directives