Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Client Cert issues on ACE module

We have SSL termination on our ACE module which has been working for a while for a specific URL/VIP.  Recently we were given a certificate from the developers and asked to install it onto the ACE so that SSL client certificate authentication can take place so only certain users can access the site.  We imported the certificate, created the authgroup, and referenced the newly installed client cert.  They tested and state its not working.    they are stating our ACE is not configured properly.  As this is the first client scenario we have, I want to be sure that they are not right.  Here is our config pertaining to this connection:

    loadbalance vip inservice
    loadbalance policy WEBSERVER_SSL
    loadbalance vip icmp-reply active
    ssl-proxy server WEBSERVER_CERT

ssl-proxy service WEBSERVER_CERT
  key client_url.key

  cert client_url.crt 

  authgroup CLIENT_CERT_INFO

crypto authgroup CLIENT_CERT_INFO
  cert client_auth_cert.crt

I am familiar with generating the keypair and installing certs and keys for SSL termination, but not sure what cert/key/etc...needs to be copied onto the ACE for client authentication, is this something they generate and provide me?

Any info is greatly appreciated.

Cisco Employee

Re: Client Cert issues on ACE module

Your ssl proxy would have the server cert ,

key and authgroup.

The authgroup needs the CA cert that signed the client cert.


ssl-proxy service WEBSERVER_CERT
  key client_url.key <-----this is your normal key that was used to generate csr for server cert

  cert client_url.crt  <------------this is the server cert

  authgroup CLIENT_CERT_INFO <---this causes the proxy to send a certificate request to the client and use the cert in the authgroup (the one that signed the client cert) to authenticate the client

crypto authgroup CLIENT_CERT_INFO
  cert client_auth_cert.crt  <----------this should be the CA cert that signed the client cert that the client will send us

you should be able to take the client cert and CA cert give them a .cer extension and look at their details in windows. Look to see that the autgroup cert signed the client cert. and that client cert has ext key usage set to client cert or both server cert and client cert.

reference for config.

New Member

Re: Client Cert issues on ACE module

If the CA that signed the client cert happened to be an intermediate CA, do we need to include the root CA into the authgroup as well?