SECRET VAULT
Certificates
Store and manage TLS client certificates in the encrypted vault for mutual TLS (mTLS) authentication with APIs that require client certificate verification.
Overview
Store TLS client certificates in the encrypted vault for mTLS (mutual TLS) authentication. Certificates are encrypted at rest alongside your secrets using AES-256-GCM.
~/.openpost/global/vault.enc, available across all workspacesAdding Certificates
Navigate to the Vault tab → Certificates section → click + Add Certificate.
Enter a name
Use a descriptive name, e.g. "API Gateway Cert", "Staging Private Key"
Select format and type
Choose the certificate format (PEM, PFX, DER) and type (client-cert, private-key, ca-bundle)
Import from file
Click Choose File to pick from disk. PEM files are stored as text. PFX/DER files are auto Base64-encoded on import.
Optional passphrase
Enter a passphrase if the private key is encrypted (common with PFX/PKCS12 files)
Certificate Types
Three certificate types serve distinct roles in the TLS handshake:
| Type | Purpose |
|---|---|
| client-cert | The client certificate presented to the server during the TLS handshake |
| private-key | The private key paired with the client certificate |
| ca-bundle | Custom CA certificate(s) for server verification — used instead of the system trust store |
client-cert + one private-key. The CA bundle is optional — only needed if the server uses a private CA not in your system trust store.
Supported Formats
PEM
Text-based, most common format. Files start with -----BEGIN CERTIFICATE-----. Stored as plain text in the vault.
PFX / PKCS12
Binary format containing certificate + private key in one file. Common extensions: .p12, .pfx. Auto Base64-encoded on import.
DER
Binary format for a single certificate. Auto Base64-encoded on import.
API Studio handles encoding and decoding automatically — just pick the file and the format is detected.
Per-Request TLS Configuration
Open a request's Settings tab (Advanced Mode required) to configure TLS certificates:
client-certprivate-keyca-bundleInheritance
Certificate configuration follows the same inheritance pattern as authentication:
inheritCertificate: true)In Actual Request Tab
After sending a request, the Actual Request tab shows which certificates were used:
When client certificates are configured:
cert: MyCert, key: MyKey
When no client certificate is configured:
System Trust Store
This is shown in the certificateNames field of the actual request. Helps verify the right certificates are being sent to the server.