From mediawiki.org
MediaWiki extensions manual
Release status: unmaintained
Implementation User identity
Description Replaces password authentication with the one based on client SSL certificates.
Author(s) (WGHtalk)
Latest version 1.0
MediaWiki 1.25.2
Database changes No
License BSD 3-clause "Modified" License

The SSLClientAuth extension replaces password authentication with the one based on client SSL certificates.

Conceptually it's the same as SSL authentication extension, but it has been written for modern (1.25) MediaWiki version and uses much less hacks.

The first time user tries to open the wiki with a valid client certificate, a new account with name specified in certificate's Common Name is created automatically. Account registration should probably be disabled, as no user can log in without a certificate anyway.

It has only been tested with nginx with PHP running in FastCGI mode, but it should be easy to add support for other servers, too.


  • Enable client certificate validation on nginx:
    • ssl_client_certificate <path to .ca file>
    • ssl_verify_client <on|optional>
    • fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn
  • Download and place the file(s) in a directory called SSLClientAuth in your extensions/ folder.
  • Add the following code at the bottom of your LocalSettings.php :
    wfLoadExtension( 'SSLClientAuth' );
  • Yes Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.

To users running MediaWiki 1.24 or earlier:

The instructions above describe the new way of installing this extension using wfLoadExtension(). If you need to install this extension on these earlier versions (MediaWiki 1.24 and earlier), instead of wfLoadExtension( 'SSLClientAuth' );, you need to use:

require_once "$IP/extensions/SSLClientAuth/SSLClientAuth.php";