Rungutan — How to load test APIs using Client Certificates

Published in

Rungutan

4 min readApr 16, 2021

Intro

Mutual authentication, also known as two-way authentication, is a security process in which entities authenticate each other before actual communication occurs. In a network environment, this requires that both the client and the server must provide digital certificates to prove their identities. In a mutual authentication process, a connection can occur only if the client and the server exchange, verify, and trust each other’s certificates. The certificate exchange occurs by means of the Transport Layer Security (TLS) protocol. The core of this process is to make sure that clients communicate with legitimate servers, and servers cooperate only with clients who attempt access for legitimate purposes.

source = Akamai Docs

What Does Client Authentication Certificate Mean?

A client authentication certificate is a certificate used to authenticate clients during an SSL handshake. It authenticates users who access a server by exchanging the client authentication certificate.

Client authentication is identical to server authentication, with the exception that the telnet server demands a certificate from the accessing client. This is to verify that the client is who they claim to be. This eliminates the listing of anonymous entries in a database’s user activity log when an Internet user accesses the server.

Clients can obtain client authentication certificates from an external certification authority (CA) like VeriSign. Another way is to create a self-signed certificate, which clients can use while waiting for a client certificate from the CA.

source = Techopedia

How does SSL mutual authentication work?

Client sends ClientHello message proposing SSL options.

Server responds with ServerHello message selecting the SSL options.
Server sends Certificate message, which contains the server’s certificate.
Server requests client’s certificate in CertificateRequest message, so that the connection can be mutually authenticated.
Server concludes its part of the negotiation with ServerHelloDone message.
Client responds with Certificate message, which contains the client’s certificate.
Client sends session key information (encrypted with server’s public key) in ClientKeyExchangemessage.
Client sends a CertificateVerify message to let the server know it owns the sent certificate.
Client sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
Client sends Finished message to let the server check the newly activated options.
Server sends ChangeCipherSpec message to activate the negotiated options for all future messages it will send.
Server sends Finished message to let the client check the newly activated options.

source = AlertLogic Docs

How does Rungutan tackle this?

Easy!

All you have to do is simply upload the certificate file and then reference it inside your test data as following, and we take care of everything else for you!

[...]
    "test_name": "Test that does Mutual Authentication using uploaded cert file"
    "file_name_certificate": "my_uploaded_cert_file",
[...]

As you can see, all you have to do is just inject the file name, and that’s it!

The maximum size of a file that we support is 10 MB.

Feature documentation

You’ll be able to find of course more technical details and different methods of using this feature on our Documentation site at the Certificate page.

The documentation covers everything, such as:

What roles have access to perform what actions
How to list/download/upload/remove certificates from the WEB platform, using API calls or the CLI

How do I upload certificates?

In order to upload a new file, all you have to do is browse to the Certificate page and click on the upload certificate button.

Once you do that, you’re presented with 2 options:

A name = this will be the name you will use to reference the file in your workflow
A path = the local file in your desktop that will be uploaded in our encrypted storage system

Once that is done, then the Certificate page will be populated with your file.

We allow you to upload virtually any certificate file type as long as it is smaller than 10MB!

How do I import certificates?

As you probably already realised, there is nothing to import.

As soon as the file has been uploaded, it is immediately and readily available to be used in your test data.

Sample scenario

As we said, you can use files to authenticate your API calls against a system that requires a client certificate to be presented in the request.

The usual scenario for such use case is that you need to simulate that another “system” needs to authenticate against your platform, hence the reason why you chose to use Mutual Authentication instead of the normal username/password.

Here’s how that would look like:

{
  "test_name": "Test Mutual AUthentication",
  "file_name_certificate": "file_name_here"
  "num_clients": 250,
  "hatch_rate": 250,
  "run_time": 60,
  "threads_per_region": 1,
  "domain_name": "my-high-end-platform.com",
  "protocol": "https",
  "test_region": [ "us-east-1" ],
  "workflow": [
    {
      "path": "/users/all",
      "method": "GET"
    }
  ]
}

The test above references the certificate file_name_here that was uploaded beforehand to our encrypted storage solution and generated a GET request to the /users/all path.

Final thoughts

Now you can easily authenticate as another system while performing your much needed stress tests against any platform that has this requirement!

Originally published at https://rungutan.com.