We have SSL termination on our ACE module which has been working for a while for a specific URL/VIP. Recently we were given a certificate from the developers and asked to install it onto the ACE so that SSL client certificate authentication can take place so only certain users can access the site. We imported the certificate, created the authgroup, and referenced the newly installed client cert. They tested and state its not working. they are stating our ACE is not configured properly. As this is the first client scenario we have, I want to be sure that they are not right. Here is our config pertaining to this connection:
class WEBSERVER_SSL loadbalance vip inservice loadbalance policy WEBSERVER_SSL loadbalance vip icmp-reply active ssl-proxy server WEBSERVER_CERT
ssl-proxy service WEBSERVER_CERT key client_url.key
I am familiar with generating the keypair and installing certs and keys for SSL termination, but not sure what cert/key/etc...needs to be copied onto the ACE for client authentication, is this something they generate and provide me?
The authgroup needs the CA cert that signed the client cert.
ssl-proxy service WEBSERVER_CERT key client_url.key <-----this is your normal key that was used to generate csr for server cert
cert client_url.crt <------------this is the server cert
authgroup CLIENT_CERT_INFO <---this causes the proxy to send a certificate request to the client and use the cert in the authgroup (the one that signed the client cert) to authenticate the client
crypto authgroup CLIENT_CERT_INFO cert client_auth_cert.crt <----------this should be the CA cert that signed the client cert that the client will send us
you should be able to take the client cert and CA cert give them a .cer extension and look at their details in windows. Look to see that the autgroup cert signed the client cert. and that client cert has ext key usage set to client cert or both server cert and client cert.
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
==================== VIC FNIC driver does not support Virtual Volumes (
second level LUN ID ) An enhancement request has been created to track
this feature - CSCux64473 UPDATE - 12-14-2016 We made some traction on
the enhancement request - The Fix is in t...