mTLS changes on Clearstream API services
LuxCSD1 informs clients that effective
13 June 2026
they must present a valid client certificate for every connection to a Clearstream API.
Technical information for developers
TLS behaviour change
Previously the system requested a client certificate only on protected paths (via TLS renegotiation as needed).
A client certificate is now requested during the “initial TLS handshake” for every new connection, regardless of endpoint. No renegotiation is used.
Key impacts
- The TLS session (including whether a client certificate was presented) is decided once at handshake.
- HTTP keep-alive, connection pools, or HTTP/2 reuse the exact same session for all requests.
- If the first request (e.g. to `/oauth2/.well-known/openid-configuration` or `/oauth2/connect/jwk_uri`) omits the certificate, the entire session has none. Any later protected API call on that connection will fail with 403.
Clients must configure the HTTP client to always present the client certificate on every new connection to the Clearstream API url.
Testing
Testing is available from 18 April 2026; it is strongly recommended for all clients who are using API services to test their API clients in the Customer Test Environment OCCT available at:
Xact Web Portal : https://xact-t2s-test.clearstream.com
API : https://api-t2s-test.clearstream.com
More information can be found on the ClearstreamXact testing environment web page.
Further information
For further information, please contact Client Services or your Relationship Manager. Questions related to the technical connection can be addressed to Connectivity Support.
------------------------------------------
1. LuxCSD refers to LuxCSD S.A., registered office at 42, Avenue J.F. Kennedy, L-1855 Luxembourg, registered with the Luxembourg Trade and Companies Register under number B-154.449.