[GH-ISSUE #392] [feature]: Configuration client certificates for SSL

kerem commented

2026-03-16 13:40:52 +03:00

Owner

Originally created by @HobaiRiku on GitHub (Dec 3, 2019).
Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/392

Is your feature request related to a problem? Please describe.
Can PW set a Client Certificates for SSL requests? in some case, we want to test request for some PaaS service which need special client certificates.

Describe the solution you'd like
I'm not sure this can be done relying on the browser only.

Describe alternatives you've considered

Additional context

Originally created by @HobaiRiku on GitHub (Dec 3, 2019). Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/392 **Is your feature request related to a problem? Please describe.** Can PW set a `Client Certificates` for SSL requests? in some case, we want to test request for some PaaS service which need special client certificates. **Describe the solution you'd like** I'm not sure this can be done relying on the browser only. **Describe alternatives you've considered** **Additional context**

kerem

2026-03-16 13:40:52 +03:00

closed this issue
added the
feature

browser limited
labels

kerem commented

2026-03-16 13:41:09 +03:00

Author

Owner

@liyasthomas commented on GitHub (Dec 3, 2019):

That's possible. I think axios do have support for importing .pem certs.

@liyasthomas commented on GitHub (Dec 3, 2019): That's possible. I think axios do have support for importing `.pem` certs.

kerem commented

2026-03-16 13:41:14 +03:00

Author

Owner

@liyasthomas commented on GitHub (Mar 29, 2020):

@HobaiRiku can you test the client certificate feature?
steps:

visit: https://deploy-preview-720--postwoman.netlify.com/
choose method: post
upload .pem certificate by clicking "Certs" icon right next to "Raw input" toggle

4. send request

and see if it works.

@liyasthomas commented on GitHub (Mar 29, 2020): @HobaiRiku can you test the client certificate feature? steps: 1. visit: https://deploy-preview-720--postwoman.netlify.com/ 2. choose method: `post` 3. upload `.pem` certificate by clicking "Certs" icon right next to "Raw input" toggle ![image](https://user-images.githubusercontent.com/10395817/77839862-687cc400-719e-11ea-9258-f729db148401.png) 4. send request and see if it works.

kerem commented

2026-03-16 13:41:19 +03:00

Author

Owner

@HobaiRiku commented on GitHub (Mar 29, 2020):

I have tested using the chinanet IoT platform's key and cert, but the chrome show ERR_CERT_COMMON_NAME_INVALID error.

In postman, the key and cert can be set like this :

so, I convert them to a *.pem file and upload it to postwomen's cert file.
By the way, It needs to skip the verification of this certificate on my postman and I don't have other valid servers to test right now, maybe it is the problem?

@HobaiRiku commented on GitHub (Mar 29, 2020): I have tested using the chinanet IoT platform's key and cert, but the chrome show `ERR_CERT_COMMON_NAME_INVALID` error. ![image](https://user-images.githubusercontent.com/26238803/77840413-d5ea1e00-71b9-11ea-80f5-51bcafe1c1de.png) In postman, the key and cert can be set like this : ![image](https://user-images.githubusercontent.com/26238803/77840339-f2d22180-71b8-11ea-89bb-85144db06cda.png) so, I convert them to a *.pem file and upload it to postwomen's cert file. By the way, It needs to skip the verification of this certificate on my postman and I don't have other valid servers to test right now, maybe it is the problem?

kerem commented

2026-03-16 13:41:24 +03:00

Author

Owner

@parthg-wysa commented on GitHub (Dec 24, 2021):

Hi. Is this supported on the latest version of Hoppscotch @liyasthomas?

@parthg-wysa commented on GitHub (Dec 24, 2021): Hi. Is this supported on the latest version of Hoppscotch @liyasthomas?

kerem commented

2026-03-16 13:41:29 +03:00

Author

Owner

@liyasthomas commented on GitHub (Dec 24, 2021):

Hi. Is this supported on the latest version of Hoppscotch @liyasthomas?

No it's not. Supported at this moment.

@liyasthomas commented on GitHub (Dec 24, 2021): > Hi. Is this supported on the latest version of Hoppscotch @liyasthomas? No it's not. Supported at this moment.

kerem commented

2026-03-16 13:41:34 +03:00

Author

Owner

@parthg-wysa commented on GitHub (Dec 24, 2021):

Oh, Thanks. Are there any plans of supporting this in the near future?

@parthg-wysa commented on GitHub (Dec 24, 2021): Oh, Thanks. Are there any plans of supporting this in the near future?

kerem commented

2026-03-16 13:41:39 +03:00

Author

Owner

@nbraun-wolf commented on GitHub (Mar 4, 2022):

One of the most basic features is not supported. I am surprised.

@nbraun-wolf commented on GitHub (Mar 4, 2022): One of the most basic features is not supported. I am surprised.

kerem commented

2026-03-16 13:41:44 +03:00

Author

Owner

@elad-eyal commented on GitHub (Apr 12, 2022):

support will be appreciated

@elad-eyal commented on GitHub (Apr 12, 2022): support will be appreciated

kerem commented

2026-03-16 13:41:49 +03:00

Author

Owner

@ns-sjli commented on GitHub (May 15, 2022):

I agree this is basic feature for API testing, can we make this a high priority?

@ns-sjli commented on GitHub (May 15, 2022): I agree this is basic feature for API testing, can we make this a high priority?

kerem commented

2026-03-16 13:41:54 +03:00

Author

Owner

@rimonhanna commented on GitHub (Dec 11, 2023):

+1

@rimonhanna commented on GitHub (Dec 11, 2023): +1

kerem commented

2026-03-16 13:41:59 +03:00

Author

Owner

@Lynnes001 commented on GitHub (Jan 3, 2024):

Welcome to 2024 and how are the updates?

@Lynnes001 commented on GitHub (Jan 3, 2024): Welcome to 2024 and how are the updates?

kerem commented

2026-03-16 13:42:04 +03:00

Author

Owner

@scheibling commented on GitHub (Mar 21, 2024):

@liyasthomas Do you still have your trial implementation from https://github.com/hoppscotch/hoppscotch/issues/392#issuecomment-605554712? I'd be happy to take a look at this

@scheibling commented on GitHub (Mar 21, 2024): @liyasthomas Do you still have your trial implementation from https://github.com/hoppscotch/hoppscotch/issues/392#issuecomment-605554712? I'd be happy to take a look at this

kerem commented

2026-03-16 13:42:10 +03:00

Author

Owner

@rimonhanna commented on GitHub (Apr 9, 2024):

the old version implementation: https://github.com/hoppscotch/hoppscotch/pull/720/files

@rimonhanna commented on GitHub (Apr 9, 2024): the old version implementation: https://github.com/hoppscotch/hoppscotch/pull/720/files

kerem commented

2026-03-16 13:42:15 +03:00

Author

Owner

@ispy1 commented on GitHub (Apr 26, 2024):

Does this feature support community self deployment versions？

@ispy1 commented on GitHub (Apr 26, 2024): Does this feature support community self deployment versions？

kerem commented

2026-03-16 13:42:20 +03:00

Author

Owner

@mkohns commented on GitHub (Apr 28, 2024):

Would be great to get this feature sorted out. mTLS (aka client credentials) per URL/Host is an important feature and increases value of hoppscotch.

@mkohns commented on GitHub (Apr 28, 2024): Would be great to get this feature sorted out. mTLS (aka client credentials) per URL/Host is an important feature and increases value of hoppscotch.

kerem commented

2026-03-16 13:42:25 +03:00

Author

Owner

@Breee commented on GitHub (Jun 14, 2024):

@liyasthomas this issue is open for almost 5 years now.
Is there any plan to tackle this issue? For us this is a basic feature and mandatory to replace postman

@Breee commented on GitHub (Jun 14, 2024): @liyasthomas this issue is open for almost 5 years now. Is there any plan to tackle this issue? For us this is a basic feature and mandatory to replace postman

kerem commented

2026-03-16 13:42:30 +03:00

Author

Owner

@liudonghua123 commented on GitHub (Jun 14, 2024):

For client certificates, it may be impossible to implement them in a pure browser environment. The Fetch API in web browsers does not support the agent option, which is necessary in a Node.js environment to implement client certificates.

However, for desktop applications, it is possible because the underlying fetch implementation does not have these limitations. For example, I have successfully skipped server certificate verification in my self-maintained hoppscotch-app, which is packaged via Tauri. This has been maintained for almost three years, long before the official Hoppscotch Desktop. For more details, see the discussion.

For additional information, you can also refer to this blog post about client-side SSL in Node.js with fetch.

@liudonghua123 commented on GitHub (Jun 14, 2024): For client certificates, it may be impossible to implement them in a pure browser environment. The [Fetch API](https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch) in web browsers does not support the agent option, which is necessary in a Node.js environment to implement client certificates. However, for desktop applications, it is possible because the underlying fetch implementation does not have these limitations. For example, I have successfully skipped server certificate verification in my self-maintained [hoppscotch-app](https://github.com/liudonghua123/hoppscotch-app), which is packaged via Tauri. This has been maintained for almost [three years](https://github.com/liudonghua123/hoppscotch-app/commit/c4890f6043f45ade467ff99f7a04f186ae9fea74), long before the official [Hoppscotch Desktop](https://github.com/hoppscotch/releases). For more details, see the [discussion](https://github.com/hoppscotch/hoppscotch/issues/882#issuecomment-1923668984). For additional information, you can also refer to this [blog post](https://sebtrif.xyz/blog/2019-10-03-client-side-ssl-in-node-js-with-fetch/) about client-side SSL in Node.js with fetch.

kerem commented

2026-03-16 13:42:35 +03:00

Author

Owner

@liudonghua123 commented on GitHub (Jun 14, 2024):

Because the underlying network lib used in tauri is reqwest library, So I asked ChatGPT How to implement client certificate in reqwest in a rust app. Give the example code. The followings are the answers it gives me. Maybe it's a hint or clue on how to implement this feature.

To implement client certificate authentication in a Rust application using the reqwest library, you'll need to create a Client with the client certificate and its private key. Below is an example code demonstrating how to achieve this:

Add dependencies in Cargo.toml:

[dependencies]
reqwest = { version = "0.11", features = ["tls"] }
tokio = { version = "1", features = ["full"] }

Implement client certificate authentication in your Rust application:

use reqwest::Client;
use reqwest::Error;
use std::fs::File;
use std::io::Read;
use reqwest::Certificate;
use reqwest::Identity;
use tokio;

#[tokio::main]
async fn main() -> Result<(), Error> {
    // Load the client certificate
    let mut cert_file = File::open("path/to/your/client-cert.pem")?;
    let mut cert_buffer = Vec::new();
    cert_file.read_to_end(&mut cert_buffer)?;
    let cert = Certificate::from_pem(&cert_buffer)?;

    // Load the client private key
    let mut key_file = File::open("path/to/your/client-key.pem")?;
    let mut key_buffer = Vec::new();
    key_file.read_to_end(&mut key_buffer)?;
    let identity = Identity::from_pem(&key_buffer)?;

    // Create the reqwest client with the certificate and key
    let client = Client::builder()
        .add_root_certificate(cert)
        .identity(identity)
        .build()?;

    // Make a request using the client
    let response = client
        .get("https://your-secure-server.com/endpoint")
        .send()
        .await?;

    // Print the response status and text
    println!("Status: {}", response.status());
    let body = response.text().await?;
    println!("Body: {}", body);

    Ok(())
}

Explanation:

Add Dependencies: Ensure that reqwest and tokio are included in your Cargo.toml. The tls feature for reqwest is necessary for HTTPS support.
Load the Client Certificate: Read the client certificate from a file. In this example, it's assumed that the certificate is in PEM format.
Load the Client Private Key: Similarly, read the private key from a file.
Create the Reqwest Client:
- Use Certificate::from_pem to load the server's certificate.
- Use Identity::from_pem to load the client's identity (certificate and private key).
- Build the reqwest::Client with the loaded certificate and identity.
Make a Request: Use the client to make a request to a secure server.

Ensure that the paths to the certificate and key files are correct and that they are in PEM format. You can use OpenSSL to convert certificates and keys to PEM format if necessary.

This example uses async/await syntax with tokio for asynchronous execution, which is common in Rust applications that perform network I/O.

@liudonghua123 commented on GitHub (Jun 14, 2024): Because the underlying network lib used in tauri is `reqwest` library, So I asked ChatGPT `How to implement client certificate in reqwest in a rust app. Give the example code.` The followings are the answers it gives me. Maybe it's a hint or clue on how to implement this feature. To implement client certificate authentication in a Rust application using the `reqwest` library, you'll need to create a `Client` with the client certificate and its private key. Below is an example code demonstrating how to achieve this: 1. Add dependencies in `Cargo.toml`: ```toml [dependencies] reqwest = { version = "0.11", features = ["tls"] } tokio = { version = "1", features = ["full"] } ``` 2. Implement client certificate authentication in your Rust application: ```rust use reqwest::Client; use reqwest::Error; use std::fs::File; use std::io::Read; use reqwest::Certificate; use reqwest::Identity; use tokio; #[tokio::main] async fn main() -> Result<(), Error> { // Load the client certificate let mut cert_file = File::open("path/to/your/client-cert.pem")?; let mut cert_buffer = Vec::new(); cert_file.read_to_end(&mut cert_buffer)?; let cert = Certificate::from_pem(&cert_buffer)?; // Load the client private key let mut key_file = File::open("path/to/your/client-key.pem")?; let mut key_buffer = Vec::new(); key_file.read_to_end(&mut key_buffer)?; let identity = Identity::from_pem(&key_buffer)?; // Create the reqwest client with the certificate and key let client = Client::builder() .add_root_certificate(cert) .identity(identity) .build()?; // Make a request using the client let response = client .get("https://your-secure-server.com/endpoint") .send() .await?; // Print the response status and text println!("Status: {}", response.status()); let body = response.text().await?; println!("Body: {}", body); Ok(()) } ``` ### Explanation: 1. **Add Dependencies**: Ensure that `reqwest` and `tokio` are included in your `Cargo.toml`. The `tls` feature for `reqwest` is necessary for HTTPS support. 2. **Load the Client Certificate**: Read the client certificate from a file. In this example, it's assumed that the certificate is in PEM format. 3. **Load the Client Private Key**: Similarly, read the private key from a file. 4. **Create the Reqwest Client**: - Use `Certificate::from_pem` to load the server's certificate. - Use `Identity::from_pem` to load the client's identity (certificate and private key). - Build the `reqwest::Client` with the loaded certificate and identity. 5. **Make a Request**: Use the client to make a request to a secure server. Ensure that the paths to the certificate and key files are correct and that they are in PEM format. You can use OpenSSL to convert certificates and keys to PEM format if necessary. This example uses async/await syntax with `tokio` for asynchronous execution, which is common in Rust applications that perform network I/O.

kerem commented

2026-03-16 13:42:40 +03:00

Author

Owner

@scheibling commented on GitHub (Jun 16, 2024):

I think I discussed this with someone else in a different thread, but if we're talking basic mTLS authentication in combination with direct request and/or requests via the plugin we actually don't even really need to to a lot - because it works natively with most browsers.

If you're visiting a site/API that requires a client certificate in a separate tab and select that certificate for use with the domain, you can then use Hoppscotch directly or via the browser plugin to make mtls-authenticated requests to that API. The downside is that the configuration is a bit messy, but on the other hand, not a lot more messy than the postman implementation of 1-cert-per-hostname.

What doesn't work though is the requests that are sent via the proxy server, that would require some additional development and changes to work properly. Same for Yaade and a lot of other browser-based implementations, since they're using communication interfaces supplied by the browser you can then use the browser cert store to authenticate as well.

Edit: Looks like someone is working hard on the Desktop version already :-)
https://github.com/hoppscotch/hoppscotch/pull/4111

@scheibling commented on GitHub (Jun 16, 2024): I think I discussed this with someone else in a different thread, but if we're talking basic mTLS authentication in combination with direct request and/or requests via the plugin we actually don't even really need to to a lot - because it works natively with most browsers. If you're visiting a site/API that requires a client certificate in a separate tab and select that certificate for use with the domain, you can then use Hoppscotch directly or via the browser plugin to make mtls-authenticated requests to that API. The downside is that the configuration is a bit messy, but on the other hand, not a lot more messy than the postman implementation of 1-cert-per-hostname. What doesn't work though is the requests that are sent via the proxy server, that would require some additional development and changes to work properly. Same for Yaade and a lot of other browser-based implementations, since they're using communication interfaces supplied by the browser you can then use the browser cert store to authenticate as well. Edit: Looks like someone is working hard on the Desktop version already :-) https://github.com/hoppscotch/hoppscotch/pull/4111

kerem commented

2026-03-16 13:42:45 +03:00

Author

Owner

@liyasthomas commented on GitHub (Sep 17, 2024):

Disabling SSL verification is now possible in Hoppscotch Desktop App > Settings > Interceptor section > Turn off "Verify SSL Certificates". Now, users can also add self-signed certificates for verification.

@liyasthomas commented on GitHub (Sep 17, 2024): Disabling SSL verification is now possible in [Hoppscotch Desktop App](https://hoppscotch.com/download) > Settings > Interceptor section > Turn off "Verify SSL Certificates". Now, users can also add self-signed certificates for verification. <img width="1470" alt="Screenshot 2024-09-17 at 1 07 24 PM" src="https://github.com/user-attachments/assets/9a563513-e750-41db-b34c-322e03d121eb">

kerem commented

2026-03-16 13:42:50 +03:00

Author

Owner

@liyasthomas commented on GitHub (Sep 17, 2024):

Thanks for your patience and valuable feedback. This feature has been implemented in the latest release.

Closing this ticket as this feature is now available in the recent version. Please feel free to reach out if you have any other concerns.

@liyasthomas commented on GitHub (Sep 17, 2024): Thanks for your patience and valuable feedback. This feature has been implemented in the latest release. Closing this ticket as this feature is now available in the recent version. Please feel free to reach out if you have any other concerns.

kerem referenced this issue

2026-03-16 14:55:05 +03:00

[GH-ISSUE #1029] ENV Variables in request highlighting #363

Rows
Columns

[GH-ISSUE #392] [feature]: Configuration client certificates for SSL #147

Explanation: