Client Cert issues on ACE module

Unanswered Question
Aug 5th, 2010
User Badges:

We have SSL termination on our ACE module which has been working for a while for a specific URL/VIP.  Recently we were given a certificate from the developers and asked to install it onto the ACE so that SSL client certificate authentication can take place so only certain users can access the site.  We imported the certificate, created the authgroup, and referenced the newly installed client cert.  They tested and state its not working.    they are stating our ACE is not configured properly.  As this is the first client scenario we have, I want to be sure that they are not right.  Here is our config pertaining to this connection:


  class WEBSERVER_SSL
    loadbalance vip inservice
    loadbalance policy WEBSERVER_SSL
    loadbalance vip icmp-reply active
    ssl-proxy server WEBSERVER_CERT


ssl-proxy service WEBSERVER_CERT
  key client_url.key

  cert client_url.crt 

  authgroup CLIENT_CERT_INFO


crypto authgroup CLIENT_CERT_INFO
  cert client_auth_cert.crt


I am familiar with generating the keypair and installing certs and keys for SSL termination, but not sure what cert/key/etc...needs to be copied onto the ACE for client authentication, is this something they generate and provide me?


Any info is greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
litrenta Thu, 08/05/2010 - 12:12
User Badges:
  • Cisco Employee,

Your ssl proxy would have the server cert ,

key and authgroup.


The authgroup needs the CA cert that signed the client cert.


so:


ssl-proxy service WEBSERVER_CERT
  key client_url.key <-----this is your normal key that was used to generate csr for server cert

  cert client_url.crt  <------------this is the server cert

  authgroup CLIENT_CERT_INFO <---this causes the proxy to send a certificate request to the client and use the cert in the authgroup (the one that signed the client cert) to authenticate the client


crypto authgroup CLIENT_CERT_INFO
  cert client_auth_cert.crt  <----------this should be the CA cert that signed the client cert that the client will send us


you should be able to take the client cert and CA cert give them a .cer extension and look at their details in windows. Look to see that the autgroup cert signed the client cert. and that client cert has ext key usage set to client cert or both server cert and client cert.


reference for config.


http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/ssl/guide/terminat.html#wp1117637

axfalk Thu, 10/28/2010 - 16:46
User Badges:

If the CA that signed the client cert happened to be an intermediate CA, do we need to include the root CA into the authgroup as well?


Thanks..


_Greg

Actions

This Discussion