Is your feature request related to a problem?

In our setup, we use client certificate authentication extensively. It would be very easy for us to deploy a binary cache and setup authentication the same way.

Proposed solution

• Extend nix.conf with settings for client certificate and private keys.
  It can be (1) global configuration with a single keypair, or (2) per substituter URL.

• modify FileTransfer to configure the requierd key/cert pair in the curl request

If my limited understanding of the codebase is correct, this would also make fetchers work with certificates, which would be a nice bonus but not required for us.

If the feature request is acceptable in principle, I am willing to implement and test it.

Alternative solutions

Alternatively, we could setup basic authentication, but it would be more painful from identity management perspective.

Additional context

#690 which initially proposed client certificate authentication as a possible authentication mechanism.

Checklist

• checked latest Nix manual (source)
• checked open feature issues and pull requests for possible duplicates

Add 👍 to issues you find important.