Mutual TLS Authentication (Client Certificate Authentication)?

Product: PowerShell Universal
Version: 1.4.6

Has supported Mutual TLS Authentication (Client Certificate Authentication) been considered for authenticated API endpoints? Would it be considered? I wanted to ask before I spend time drafting up an GitHub issue Feature Request.

API ‘Shared Secret’ token distribution can be difficult in some environments, my environment in particular has many thousands of client agents, all in different security domains.

One way is to have one or more Trusted Root/Issuing CAs, administrator defined in PowerShell Universal, that is responsible for issuing certificates to API clients. The Security Roles of a connecting client could be recorded under a custom EKU OID. I’ve done the same before.

I know this can currently be achieved by putting a HAproxy or NGINX instance in front of the server to handle such MTLS and pass on trusted headers or something but having it integrated would reduce maintenance, and complexity, and allow us to take advantage of the very mature PKI technology ecosystem for authenticating clients.

Some developer resources:

This has been considered but not implemented. We had another request for this in the past. Feel free to submit a feature request.