CSS SSL client authentication -self signed cert ?

Unanswered Question
Aug 27th, 2009

I have a customer who wishes to use CSS to front end web servers and have the CSS perform SSL offload- straightforward

However the application may need client authentication - ie client certs.

The config guide shows that this can be done on the CSS but the CSS will check with the issuing CA to validate the client cert- sounds logical.

If the customer wishes to use self generated certs- will this work with client authetication- ie can we import the client certs into the CSS to stop it trying to validate them as there would be no CA for these ?

any help appreciated.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Wed, 09/02/2009 - 07:40

When client authentication occurs on the CSS, the CSS verifies that the:

• Client sending the certificate has a corresponding private key

• Client certificate is signed by a known CA

• Certificate has not expired

• Signature is valid

• Issuing CA has not revoked the certificate if a Certificate Revocation List (CRL) is configured on the CSS

During a typical SSL handshake between a client and a server, the client does not send a certificate.


alpritchard Wed, 09/02/2009 - 07:52

ok tks for the reply - i think i came to the same conclusion that for client authentication to work a CA cert needs to be installed in the CSS.

So a CA needs to generate the client cert and a CA cert be installed in the CSS. The CA could be a public or private one as long as the certs can be installed to client and CSS.

I am right in thinking the CSS is not capable of doing this on it's own with it's own self signed cert process - ie that will only work for server certs.


Gilles Dufour Thu, 09/03/2009 - 01:44

It is quite easy with openssl to generate your own root CA and sign all the keys you want.

You can then put this rootCA on the CSS to validate the client.

There are even GUI tools surrounding openssl to do this automatically for you.

So, this would be the best solution if you do not want to get certificates from Verisign or similar public signer.



This Discussion