python requests library client certificate

Python Requests Library and Client Certificate

If you're working with web services or APIs, there might be a need to authenticate your client using SSL/TLS certificates. In Python, the most popular library for making HTTP requests is the Requests library. In this blog post, we'll explore how to send a client certificate with a request using the Requests library.

What is SSL/TLS Client Certificate?

An SSL/TLS client certificate is a digital certificate that is used by the client to authenticate itself with a server. It is used as an alternative to username and password authentication. A client certificate is issued by a trusted Certificate Authority (CA) and is installed on the user's device.

How to send a Client Certificate using Requests Library?

The Requests library supports SSL/TLS client authentication by providing an auth parameter. The auth parameter accepts instances of the HTTPBasicAuth and HTTPDigestAuth classes. To add a client certificate to the request, we need to create an instance of the SSLAdapter class and pass it to the Session object.

Step 1: Install Required Libraries

The first step is to install the required libraries using pip. Install the requests, pyopenssl, and cryptography libraries.

pip install requests pyopenssl cryptography

Step 2: Import Required Libraries

The next step is to import the required libraries.

import requests
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.poolmanager import PoolManager
import ssl

Step 3: Create SSL Adapter

The next step is to create an instance of the SSLAdapter class. The SSLAdapter class is a custom implementation of the HTTPAdapter class that adds support for SSL/TLS client authentication.

class SSLAdapter(HTTPAdapter):
    def __init__(self, *args, **kwargs):
        self.ssl_options = kwargs.pop('ssl_options', {})
        super(SSLAdapter, self).__init__(*args, **kwargs)

    def init_poolmanager(self, *args, **kwargs):
        context = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
        kwargs['ssl_context'] = context
        return super(SSLAdapter, self).init_poolmanager(*args, **kwargs)

The SSLAdapter class takes the following arguments:

  • certfile: Path to the client certificate file.
  • keyfile: Path to the client key file.
  • password: Password for the client key file (if any).

Step 4: Create Session Object

The next step is to create a session object and pass the SSLAdapter object to it.

session = requests.Session()
session.mount('https://', SSLAdapter())

The mount() method is used to register the SSLAdapter object with the session object. This ensures that all requests made using the session object are authenticated using the client certificate.

Step 5: Make Request

The final step is to make a request using the session object.

response = session.get('', verify=False)

The verify=False parameter is used to disable SSL/TLS certificate verification. If you're working with a self-signed certificate or a certificate that is not trusted by the system, you need to set this parameter to False.


In this blog post, we learned how to send a client certificate with a request using the Requests library in Python. We created an instance of the SSLAdapter class and passed it to the session object. We then made a request using the session object and verified the response.