08-05-2010 11:35 AM
We have SSL termination on our ACE module which has been working for a while for a specific URL/VIP. Recently we were given a certificate from the developers and asked to install it onto the ACE so that SSL client certificate authentication can take place so only certain users can access the site. We imported the certificate, created the authgroup, and referenced the newly installed client cert. They tested and state its not working. they are stating our ACE is not configured properly. As this is the first client scenario we have, I want to be sure that they are not right. Here is our config pertaining to this connection:
class WEBSERVER_SSL
loadbalance vip inservice
loadbalance policy WEBSERVER_SSL
loadbalance vip icmp-reply active
ssl-proxy server WEBSERVER_CERT
ssl-proxy service WEBSERVER_CERT
key client_url.key
cert client_url.crt
authgroup CLIENT_CERT_INFO
crypto authgroup CLIENT_CERT_INFO
cert client_auth_cert.crt
I am familiar with generating the keypair and installing certs and keys for SSL termination, but not sure what cert/key/etc...needs to be copied onto the ACE for client authentication, is this something they generate and provide me?
Any info is greatly appreciated.
08-05-2010 12:12 PM
Your ssl proxy would have the server cert ,
key and authgroup.
The authgroup needs the CA cert that signed the client cert.
so:
ssl-proxy service WEBSERVER_CERT
key client_url.key <-----this is your normal key that was used to generate csr for server cert
cert client_url.crt <------------this is the server cert
authgroup CLIENT_CERT_INFO <---this causes the proxy to send a certificate request to the client and use the cert in the authgroup (the one that signed the client cert) to authenticate the client
crypto authgroup CLIENT_CERT_INFO
cert client_auth_cert.crt <----------this should be the CA cert that signed the client cert that the client will send us
you should be able to take the client cert and CA cert give them a .cer extension and look at their details in windows. Look to see that the autgroup cert signed the client cert. and that client cert has ext key usage set to client cert or both server cert and client cert.
reference for config.
10-28-2010 04:46 PM
If the CA that signed the client cert happened to be an intermediate CA, do we need to include the root CA into the authgroup as well?
Thanks..
_Greg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide