_haproxy_client_cert_validation.html.md.erb

To configure HAProxy to handle client certificates, select one of the following options in the <b>HAProxy behavior for Client Certificate Validation</b> field. 
  <%= image_tag 'networking_haproxy_client_cert_validate.png' %>
  <ul>
  <li><b>HAProxy does not request client certificates.</b>  This option requires mutual authentication, which makes it incompatible with XFCC option <b>TLS terminated for the first time at HAProxy</b>. HAProxy does not request client certificates, so the client does not provide them and no validation occurs. This is the default configuration.</li>
  <li> <b>HAProxy requests but does not require client certificates.</b> The HAProxy requests client certificates in TLS handshakes, validates them when presented, but does not require them.</li>
  </ul>
  <p class="note warning"><strong>WARNING:</strong> Upon upgrade, PAS will fail to receive requests if your load balancer is configured to present a client certificate in the TLS handshake with HAProxy but HAProxy has not been configured with the certificate authority used to sign it. To mitigate this issue, select <strong>HAProxy does not request client certificates</strong> in the <strong>Networking</strong> pane or configure the HAProxy with the appropriate CA.</p>