1# GEP-91: Client Certificate Validation for TLS terminating at the Gateway Listener
2
3* Issue: [#91](https://github.com/kubernetes-sigs/gateway-api/issues/91)
4* Status: Provisional
5
6(See definitions in [GEP Status][/contributing/gep#status].)
7
8## TLDR
9
10This GEP proposes a way to validate the TLS certificate presented by the downstream client to the server
11(Gateway Listener in this case) during a [TLS Handshake Protocol][], also commonly referred to as mutual TLS (mTLS).
12
13## Goals
14- Define an API field to specify the CA Certificate within the Gateway Listener configuration that can be used as a trusted anchor to validate the certificates presented by the client.
15
16## Non-Goals
17- Define other fields that can be used to verify the client certificate such as the Certificate Hash or Subject Alt Name.
18
19## References
20
21[TLS Handshake Protocol]: https://www.rfc-editor.org/rfc/rfc5246#section-7.4
22[Certificate Path Validation]: https://www.rfc-editor.org/rfc/rfc5280#section-6
View as plain text