Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
0
Helpful
2
Replies

Client Cert issues on ACE module

m-loughry
Level 1
Level 1

‎08-05-2010 11:35 AM

We have SSL termination on our ACE module which has been working for a while for a specific URL/VIP.  Recently we were given a certificate from the developers and asked to install it onto the ACE so that SSL client certificate authentication can take place so only certain users can access the site.  We imported the certificate, created the authgroup, and referenced the newly installed client cert.  They tested and state its not working.    they are stating our ACE is not configured properly.  As this is the first client scenario we have, I want to be sure that they are not right.  Here is our config pertaining to this connection:

  class WEBSERVER_SSL
    loadbalance vip inservice
    loadbalance policy WEBSERVER_SSL
    loadbalance vip icmp-reply active
    ssl-proxy server WEBSERVER_CERT

ssl-proxy service WEBSERVER_CERT
  key client_url.key

  cert client_url.crt 

  authgroup CLIENT_CERT_INFO


crypto authgroup CLIENT_CERT_INFO
  cert client_auth_cert.crt

I am familiar with generating the keypair and installing certs and keys for SSL termination, but not sure what cert/key/etc...needs to be copied onto the ACE for client authentication, is this something they generate and provide me?

Any info is greatly appreciated.

Labels:
0 Helpful
2 Replies 2

litrenta
Level 3
Level 3

‎08-05-2010 12:12 PM

Your ssl proxy would have the server cert ,

key and authgroup.

The authgroup needs the CA cert that signed the client cert.

so:

ssl-proxy service WEBSERVER_CERT
  key client_url.key <-----this is your normal key that was used to generate csr for server cert

  cert client_url.crt  <------------this is the server cert

  authgroup CLIENT_CERT_INFO <---this causes the proxy to send a certificate request to the client and use the cert in the authgroup (the one that signed the client cert) to authenticate the client

crypto authgroup CLIENT_CERT_INFO
  cert client_auth_cert.crt  <----------this should be the CA cert that signed the client cert that the client will send us

you should be able to take the client cert and CA cert give them a .cer extension and look at their details in windows. Look to see that the autgroup cert signed the client cert. and that client cert has ext key usage set to client cert or both server cert and client cert.

reference for config.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/ssl/guide/terminat.html#wp1117637

0 Helpful

axfalk
Level 1
Level 1
In response to litrenta

‎10-28-2010 04:46 PM

If the CA that signed the client cert happened to be an intermediate CA, do we need to include the root CA into the authgroup as well?

Thanks..

_Greg

0 Helpful
Customers Also Viewed These Support Documents