Cisco CSS Client Authentication

Unanswered Question
Oct 22nd, 2008
User Badges:

I have a few questions in this regard..

1.) Is it possible to use self signed certs for the client authentication, baring in mind you need to point the CSS to the CRL?


2.) I need to run around 20 different VIP's (probably on the same IP but with different tcp ports), all requiring their own individual certificate for client auth. Is there a limit to the number of client authentication certificates I can load on a 11501S device?


3.) Can someone provide me with a working configuration example for client authentication on a CSS?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Thu, 10/23/2008 - 04:58
User Badges:
  • Cisco Employee,

client authentication means the CSS will request the client to send its own certificate and we will check its validity with the configured CA and configured CRL.

It has nothing to do with the CSS certificate.

So, you could have a self signed certificate on the CSS. That doesn't change anything for client authentication.


The same IP thing is probably not a good thing if you want to assign the certificate to different domain.

A dns request will only return an ip address and no port.

So you may end up with all requests going to the same ip and port 443.


I think the limit is 256 ssl-proxy server.


Check config guide for assistance :

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/configuration/ssl/guide/terminat.html#wp999318


Gilles.

Actions

This Discussion