For more details, please see ourCookie Policy.

Application Delivery (ADX)

SSL Client Authentication

by Yasir_Liaqatullah on ‎07-06-2009 03:55 PM (252 Views)


      We want to enable client authentication.


The requirements are that when a client tries to connect the ServerIron, the ServerIron requests a certificate and then verify the certificate against a root-certificate. Required Certificates

      The following certificates are required to enable the client-authentication functionality:

1Server Certificatethis is the usual server certificate in server profile
2Server Certificate KeyThe key corresponding to the Server Certificate
3CA-CertificateThe CA certificate which signed the client certificate

      In addition to the above, it is also assumed that a client certificate has been issued and it is being used by the client.




    ssl profile verisign128
      keypair-file verisign128key
      certificate-file verisign128cert
      cipher-suite all-cipher-suites
      verify-client-cert per-connection require
      ca-cert-file level_0.pem
      session-cache off
    server source-nat-ip port-range 2
    server source-nat-ip port-range 2 for-ssl
    server real rs13
      port http
      port http url "HEAD /"
      port 8081
    server real rs14
      port http
      port http url "HEAD /"
      port 8081
    server virtual vip1
      port http
      bind http rs13 http rs14 http
      port ssl sticky
      port ssl ssl-terminate verisign128
      bind ssl rs13 8081 real-port http rs14 8081 real-port http
    ip address


The command "show ssl authentiation-stat" displays useful information about client-authentication counters.

    SSL# rconsole 1 1
    SSL1/1#sho ssl authentication-stat
    SSL certificate verification counters:
                      Success :         20                    Failure :          3
                 Unknown user :          0           Signature failed :          0
          Certificate expired :          0        Certificate revoked :          0
          Cert not yet valid  :          3      Cert signature failed :          0
    Issuer pubkey decode fail :          0           Self signed cert :          0
        Issuer cert not found :          0    Subject Issuer mismatch :          0
        Certificate untrusted :          0        Cert chain too long :          0
    CRL counters:
              CRL load failed :          0       CRL signature failed :          0
                CRL not found :          0          CRL not yet valid :          0
                  CRL expired :          0


Tips and Caveats

The most common problem encountered is that the system time is not properly configured. Since the default time of the system is January 1, 2000, thus, it fails to authenticate a client.

In such situations, the counter "Cert not yet valid" goes up.

The remedy is to set the time on the system using "clock set"

  SSL#clock set 18:00:00 06-06-07
  Real Time Clock is programmed

Further Reading