Does API Gateway forward the client certificate?

Question

Using custom domain name with API Gateway and enabled Mutual TLS, does API Gateway forward the authenticated client certificate to the back-end (Lambda)?

As with other reverse proxies like NGINX, Apache & CloudFlare there is option to forward the encoded client certificate in the headers (after validating it)

Accepted Answer

You will need to use request [mapping templates](https://docs.aws.amazon.com/apigateway/latest/developerguide/models-mappings.html) to build the payload that is sent to the backend integration. You will include in there the relevant context variables. You can find the full list [here](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#context-variable-reference).

Answer

For Lambda I figured that the certificate is available inside the event APIGatewayProxyEvent under requestContext.identity.clientCert which had the encoded certificate under clientCertPem along with other parameters like serialNumber, issuerDN, validity & subjectDN

Although now I'm want to know how this is handled if API Gateway is pointing toward different back-end? Will it be included in the headers?

Does API Gateway forward the client certificate?

관련 콘텐츠