In most TLS handshakes, the client authenticates the server, therefore, the client knows that the server is who it says it is, but the server doesn’t know much about the client. In most cases, this is fine — authentication via credentials is enough in many cases, however, some web applications require that the client also be authenticated as part of the TLS handshake.

To scan web applications that require client certificates in Acunetix, simply navigate to the Target in question, then navigate to the HTTP tab and enable Client Certificate. You may now upload a Client Certificate in PKCS #12 format which will be used by the scanner during the scan.

client certificates acunetix

PKCS #12 is a certificate format that stores the private key together with the certificate, which is why it’s a common client certificate format. If your certificate is not in PKCS #12 format, converting from other certificate formats to PKCS #12 is as straightforward as running the following OpenSSL command.

openssl pkcs12 -export -out client.pfx -inkey privatekey.key -in certificate.crt

It’s best practice to secure your client certificate using a password, which you will in turn need to provide to Acunetix when setting-up your Target’s client certificate.

Once you’re done, click Save to save and apply your settings. You may now crawl and scan the Target using the newly set-up client certificate.

Ian Muscat

Ian Muscat used to be a technical resource and speaker for Acunetix. More recently, his work centers around cloud security and phishing simulation.