Passport.js strategy for PKI client certificate authentication
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
src Add Typescript type definitions file Jul 1, 2017
test Fix getPeerCertificate Feb 23, 2016
.gitignore Add integration tests Feb 21, 2016
.jshintrc Add tests; fail if cert is not present or is empty Jul 6, 2014
.travis.yml Add Node 7 to .travis.yml May 24, 2017
LICENSE Copyright Ripjar Sep 29, 2015 Added passReqToCallback documentation to README Sep 29, 2015



passport.js strategy for TLS client certificate authentication and authorisation.

passport-client-cert is for TLS connections direct to a Node.js application.


The strategy constructor requires a verify callback, which will be executed on each authenticated request. It is responsible for checking the validity of the certificate and user authorisation.


  • passReqToCallback - optional. Causes the request object to be supplied to the verify callback as the first parameter.

The verify callback is passed with the client certificate object and a done callback. The done callback must be called as per the passport.js documentation.

var passport = require('passport');
var ClientCertStrategy = require('passport-client-cert').Strategy;

passport.use(new ClientCertStrategy(function(clientCert, done) {
  var cn =,
      user = null;
  // The CN will typically be checked against a database
  if(cn === 'test-cn') {
    user = { name: 'Test User' }
  done(null, user);

The verify callback can be supplied with the request object by setting the passReqToCallback option to true, and changing callback arguments accordingly.

passport.use(new ClientCertStrategy({ passReqToCallback: true }, function(req, clientCert, done) {
  var cn =,
      user = null;
  // The CN will typically be checked against a database
  if(cn === 'test-cn') {
    user = { name: 'Test User' }
  done(null, user);


Install and start the example server app:

$ npm install
$ cd example
$ node example-server.js

Submit a request with a client certificate:

$ curl -k --cert certs/joe.crt --key certs/joe.key --cacert certs/ca.crt https://localhost:3443

If curl fails and you are using OSX Mavericks or newer (where support for ad-hoc CA certifcates is broken, try wget instead:

$ wget -qSO - --no-check-certificate --certificate=certs/joe.crt --private-key=certs/joe.key --ca-certificate=certs/ca.crt https://localhost:3443/

Requests submitted with joe.crt are authorised because joe is in the list of valid users. Requests submitted without a certificate, or with bob.crt will fail with a HTTP 401.


$ npm install
$ npm test


The MIT Licence