+title Cockpit Certificate Authentication\r
+\r
+Browser -> cockpit-ws: TLS handshake\nwith client cert\r
+\r
+cockpit-ws -> cockpit-session: auth mode "tls-cert"\r
+\r
+cockpit-session -> libpam-cockpit-cert: start PAM session\r
+note left of libpam-cockpit-cert: no user known yet\r
+\r
+libpam-cockpit-cert -> cockpit-ws: query certificate\r
+libpam-cockpit-cert -> sssd: map certificate\r
+sssd -> libpam-cockpit-cert: user name\n(or failure)\r
+libpam-cockpit-cert -> cockpit-session: set PAM user name,\nstart session\r
+note left of cockpit-session: start cockpit-bridge\r
+cockpit-session -> cockpit-ws: success\r