← Back to Overview

SECRET VAULT

Certificates

Store and manage TLS client certificates in the encrypted vault for mutual TLS (mTLS) authentication with APIs that require client certificate verification.

Overview

Store TLS client certificates in the encrypted vault for mTLS (mutual TLS) authentication. Certificates are encrypted at rest alongside your secrets using AES-256-GCM.

Configure per-request, per-folder, or per-collection with full inheritance
Used when servers require client certificate verification (mTLS)
Supports PEM, PFX/PKCS12, and DER formats
Global scope — stored in ~/.openpost/global/vault.enc, available across all workspaces

Adding Certificates

Navigate to the Vault tab → Certificates section → click + Add Certificate.

1

Enter a name

Use a descriptive name, e.g. "API Gateway Cert", "Staging Private Key"

2

Select format and type

Choose the certificate format (PEM, PFX, DER) and type (client-cert, private-key, ca-bundle)

3

Import from file

Click Choose File to pick from disk. PEM files are stored as text. PFX/DER files are auto Base64-encoded on import.

4

Optional passphrase

Enter a passphrase if the private key is encrypted (common with PFX/PKCS12 files)

Certificate Types

Three certificate types serve distinct roles in the TLS handshake:

TypePurpose
client-certThe client certificate presented to the server during the TLS handshake
private-keyThe private key paired with the client certificate
ca-bundleCustom CA certificate(s) for server verification — used instead of the system trust store
Typical setup: You need one client-cert + one private-key. The CA bundle is optional — only needed if the server uses a private CA not in your system trust store.

Supported Formats

PEM

PEM

Text-based, most common format. Files start with -----BEGIN CERTIFICATE-----. Stored as plain text in the vault.

PFX

PFX / PKCS12

Binary format containing certificate + private key in one file. Common extensions: .p12, .pfx. Auto Base64-encoded on import.

DER

DER

Binary format for a single certificate. Auto Base64-encoded on import.

API Studio handles encoding and decoding automatically — just pick the file and the format is detected.

Per-Request TLS Configuration

Open a request's Settings tab (Advanced Mode required) to configure TLS certificates:

Client Certificate — select from vault entries of type client-cert
Private Key — select from vault entries of type private-key
CA Bundle — optional, select from vault entries of type ca-bundle
Note: Dropdowns show all vault certificate entries by name. If the vault is locked when a request is sent, the extension silently falls back to the system trust store — no error is shown.

Inheritance

Certificate configuration follows the same inheritance pattern as authentication:

Collection Folder Request
Set certificates at collection level — all requests in the collection inherit
Set at folder level — requests in that folder inherit
Request-level "Inherit Certificate" toggle (inheritCertificate: true)
Resolution: Walks UP the chain (request → folder → ... → collection) until it finds a node with certificates configured. If nothing is found, the system trust store is used.

In Actual Request Tab

After sending a request, the Actual Request tab shows which certificates were used:

When client certificates are configured:

cert: MyCert, key: MyKey

When no client certificate is configured:

System Trust Store

This is shown in the certificateNames field of the actual request. Helps verify the right certificates are being sent to the server.

Next

Ko-fi