This project demonstrates how to validate client certificates (mTLS) via CRL using Akamai EdgeWorkers, blocking access for revoked certificates based on a local file (data.js). It is designed for use cases where Property Manager require certificate revocation checks at the Edge.

• Validates client certificate presence via Akamai Variables ex.: PMUSER_CLIENT_CERT_FINGERPRINT
• Blocks revoked certificates with HTTP 403 and a custom JSON response
• Returns HTTP 401 when no client certificate is provided with a custom JSON response
• Uses a local list (data.js) of revoked fingerprints (no EdgeKV dependency), but it could be extended using EdgeKV
• Works directly via Property Manager + EdgeWorkers

├── main.js          # Main logic of the EdgeWorker
├── data.js          # Local list of revoked fingerprints
├── bundle.json      # Manifest file with metadata information

1. Package the EdgeWorker

• Copy the project and enter on the main directory

tar zcvf * ../crl.tgz

2. Manage EdgeWorkers

Create an EdgeWorkers

3. Link it via Property Manager

• Add the EdgeWorkers behavior
• Set the EdgeWorker ID
• Add a match rule (example: /*)
• Add the PMUSER_CLIENT_CERT_FINGERPRINT variable via Property Manager

Reference Link

4. Structure in data.js

export const revokedFingerprints = [
  '15D21AE3FA1051EDEADC901C',
  '15D21AE3FA1051EDEADC821C'
];

401 - No Client Certificate

{
  "status": "unauthorized",
  "message": "Client certificate not found. Access denied!"
}

403 - Revoked Certificate

{
  "status": "revoked",
  "message": "This certificate has been revoked. Access denied."
}

• Akamai EdgeWorkers Overview
• EdgeWorkers Event Handlers
• JavaScript API for EdgeWorkers
• PMUSER Variables
• EdgeWorkers Examples Repository
• Surrogate Response Example

Pull requests are welcome! Feel free to open issues and suggest improvements.

Read this README in Português

MIT License