(Please note: this question is one of many "why don't you just try it?" questions. I certainly will, but since I haven't found an obvious answer by googling, I thought I might as well make it easier for someone who might need this later by asking on ServerFault)
My web application is served over HTTPS behind some load balancers and allows users to authenticate using client certificates in some cases. Now I'm being asked whether I'd like to offload SSL encryption/decryption to load balancers so that I'd be running a plain HTTP site (and thus with easier debugging and configuration) while the load balancer would be doing HTTPS for the users. Free extra CPU cycles certainly sound good, however, I'm not convinced that I'd still be able to check users' client certificates.
Is it possible to use client certificates without running a full-blown HTTPS site?
Best Answer
It depends how you use client certs to authenticate and authorise users. Do you allow anyone with a cert signed by someone you recognise or must it be signed and the CN equal something specific or equal a user in a group? Does your current web server handle authorisation or does your app?
The typical way to do this would be to terminate the SSL connection on a loadbalancer. This load balancer would be the "full-blown HTTPS site" and would need to be configured to request a client certificate. Your loadbalancer would then perform a check to see if the cert was signed by a trusted CA. The loadbalancer would then add details from the SSL cert, such as the DN, as HTTP Headers to plain HTTP request to your app. Your app would then check these HTTP headers and authorise the user based on a trust between the app and the loadbalancer. I've seen the accomplished with all major loadbalancers such as F5, ZXTM and even Apache HTTP Server.