Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE SSL Offload and Client Authentication


We had a requirement from one of our customer that their client terminals (POS terminals) should be authenticated by the ACE which is terminating the SSL connection. Backend connections to the server is clear text.

Since in a normal SSL flow the server sends the certificate to the client and the client verifies the identity of the server but in our case we need server/ACE to authenticate the client or some form of mutual authentication should be there.

As per the documentation we have enabled the authgroup to enable the client authentication feature, but when we are testing the application it seems that only the front end (client to ACE) connection gets established but not the back end.

We have verified that if client authentication is disabled the application works fine but the ACE sends it the certificate and the client is not authenticated.

crypto authgroup POS

cert certfinal.pem

ssl-proxy service ssl-proxy

   key POS

   cert certfinal.pem

   authgroup POS

   ssl advanced-options POS

'certfinal.pem' is generated with the combination of root certificate,  intermediate certificate (from ACE CSR) and key (generated on ACE) for CSR.

On client(POS terminal) they have uploaded intermediate certificate (from ACE CSR) because the client couldn't generate the CSR since its a POS terminal.

Our scenario is like given below with client authentication

(Server)---------------clear text----------------(ACE)-----------------SSL--------------------(POS Terminals/client)

Can you guide us on how to move ahead.




ACE SSL Offload and Client Authentication


During SSL client authentication, its your POS terminal should send their client certificate to ACE, ACE will compare this certificate with the one configure in authgroup. In your case, i guess at ACE you are using same set of certificate for both client and server authentication, and client is not offering any client certifcate.

CreatePlease login to create content