How do I pass an X509 certificate through cascading https servers?

Rob Fielding

You can forward the certificate on to another tier,but the certificate itself doesn't actually do much unless you can challenge the certificate holder to prove its identity. You might as well just simply pass on the user's name. (The certificate is not a secret, right?)

  A       -> B    -> C         -> D
 (browser)  (web) (middleware)  (db)
You can only have point-to-point certificate authentication with SSL. A auths B, B auths C, C auths D. SSL has no provisions for "Tunnelling" challenges and responses across intermediate tiers. The big reason I can think of why SSL would be designed this way is that the only real concern was getting credit card numbers from end-users, and making SSL work in multiple tiers just complicated things too much. D will have to be happy with knowing that it was defintely C that connected, and will have to take it on faith that A is on the other end of all of this - because it assumes that C is trustworthy. And C assumes it is A on the other end because B is trustworthy.

So, in your back-end tier the getRemoteUser will return the identifier for a webserver user and NOT the user on the other end. You cannot authenticate to D with A's certificate, because the connection from C to D cannot get access to A's private key material. So, what we did to get around the problem is to simply have B pass on an http parameter that declares that A is the "real" user instead of getRemoteUser. A is in our LDAP, so we continue processing on behalf of user A from inside of D.