Client certificate authentication can be configured with the Client, the required options are passed along through the connect option.
The client certificates must be signed by a trusted CA. The Node.js default is to trust the well-known CAs curated by Mozilla.
\nSetting the server option requestCert: true tells the server to request the client certificate.
The server option rejectUnauthorized: false allows us to handle any invalid certificate errors in client code. The authorized property on the socket of the incoming request will show if the client certificate was valid. The authorizationError property will give the reason if the certificate was not valid.
const { readFileSync } = require('node:fs')\nconst { join } = require('node:path')\nconst { createServer } = require('node:https')\nconst { Client } = require('undici')\n\nconst serverOptions = {\n ca: [\n readFileSync(join(__dirname, 'client-ca-crt.pem'), 'utf8')\n ],\n key: readFileSync(join(__dirname, 'server-key.pem'), 'utf8'),\n cert: readFileSync(join(__dirname, 'server-crt.pem'), 'utf8'),\n requestCert: true,\n rejectUnauthorized: false\n}\n\nconst server = createServer(serverOptions, (req, res) => {\n // true if client cert is valid\n if(req.client.authorized === true) {\n console.log('valid')\n } else {\n console.error(req.client.authorizationError)\n }\n res.end()\n})\n\nserver.listen(0, function () {\n const tls = {\n ca: [\n readFileSync(join(__dirname, 'server-ca-crt.pem'), 'utf8')\n ],\n key: readFileSync(join(__dirname, 'client-key.pem'), 'utf8'),\n cert: readFileSync(join(__dirname, 'client-crt.pem'), 'utf8'),\n rejectUnauthorized: false,\n servername: 'agent1'\n }\n const client = new Client(`https://localhost:${server.address().port}`, {\n connect: tls\n })\n\n client.request({\n path: '/',\n method: 'GET'\n }, (err, { body }) => {\n body.on('data', (buf) => {})\n body.on('end', () => {\n client.close()\n server.close()\n })\n })\n})\n