ACE SSL offloading & Client certificate authentication

Unanswered Question
May 9th, 2007

We have several webserver clusters secured with SSL and we use client certificate authentication.

Depending on the certificate, users have different rights.

At the moment we use microsoft NLB but we want to implement SSL offloading on the ACE. However, if we remove SSL from our webservers we can not use client certificate authentication anymore.

What solutions are possible to keep client certificate authentication ?

Is it possible to implement authentication on the ACE and send some header, which would include a user id to the webservers, or something like that ?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sebastianvandijk Thu, 06/21/2007 - 02:41

i just found out cisco currently isnt support client authentication in SSL.

too bad, any view on when this functionality will be available ?

Gilles Dufour Fri, 06/22/2007 - 04:21

this functionality will come with software version 2.0 which should come out in november.


Gilles Dufour Tue, 11/27/2007 - 04:41

actually my first message was incorrect.

The target is early 2008 for A2.0

Nov was for Ace appliance software on CCO. A1.7


sebastianvandijk Tue, 11/27/2007 - 05:26

Hi Gilles,

that's a pitty, but we'll keep waiting.

Do you know where i can register for ACE software updates ?

sebastianvandijk Tue, 03/18/2008 - 08:36

I just found out that version 2 is out, great !

However, although client certificate authentication is available, i can't find how to grab / pass the user id from the certificate to the webserver ?

Can this be done ? Or can't the certificate subject be used from within the ACE ?



Gilles Dufour Tue, 03/18/2008 - 09:30

Unfortunately, extracting values from the cert and insert into the HTTP Header did not made it in ACE2.0.

Next big release 3.0 should have it.


sebastianvandijk Tue, 01/12/2010 - 06:10

Hi Gilles,

I can't exactly determine if these features have been implemented yet ?

And if so, does an example configuration reside somewhere on the cisco site, or can you give a hint in the right direction ?



Akhtar Samo Tue, 07/03/2012 - 03:58

Hello Gilles,

We had a similar requirement from one of our customer that their client terminals (POS terminals) should be authenticated by the ACE which is terminating the SSL connection. Backend connections to the server is clear text.

Since in a normal SSL flow the server sends the certificate to the client and the client verifies the identity of the server but in our case we need server/ACE to authenticate the client or some form of mutual authentication should be there.

As per the documentation we have enabled the authgroup to enable the client authentication feature, but when we are testing the application it seems that only the front end (client to ACE) connection gets established but not the back end.

We have verified that if client authentication is disabled the application works fine but the ACE sends it the certificate and the client is not authenticated.

crypto authgroup POS

cert certfinal.pem

ssl-proxy service ssl-proxy

   key POS

   cert certfinal.pem

   authgroup POS

   ssl advanced-options POS

Would appreciate if you can help us out in that.



cpomeroy Tue, 07/03/2012 - 08:07


   When doing client authentication, the ACE will request a certificate from the client.  This will be done in the SSL handshake.  If the client does not send a certificate, the handshake will fail.   If the Client does send a certficate, then the ACE will use the certificate in the auth group to autenticate the client certificate. 

In your configuration, you are using cert certfinal.pem in the auth group.  This appears to be the server certificate. If that is the case, then this will not work as it is highly unlikely that the certifcate

cert certfinal.pem was used to sign the client certifcates.  The Authgroup should have the certificate that signed the client certs and not the server cert.

Typicall you would see a certificate chain that would look some thing like this

Root CA--signs the Intermediate CA---which signs the server or Client Certifcate.

Your authgroup should contain the the intermediate and root ca that signed the client certificate.  Then those client certificates must be installed on the client.

Akhtar Samo Tue, 07/03/2012 - 23:50

As per the client the certfinal.pem is generated with the combination of root certificate,  intermediate certificate (from ACE CSR) and key (generated on ACE) for CSR.

On client they have uploaded intermediate certificate (from ACE CSR) because the client couldn't generate the CSR since its a POS terminal.

Our scenario is like given below with client authentication

(Server)---------------clear text----------------(ACE)-----------------SSL--------------------(POS Terminals/client)

Can you guide us on how to move ahead ?




This Discussion