Application Delivery (ADX)

SSL Client Authentication

by Yasir_Liaqatullah on ‎07-07-2009 08:00 PM - edited on ‎10-31-2013 03:32 PM by bcm1 (1,782 Views)


      We want to enable client authentication.



The requirements are that when a client tries to connect the ServerIron, the ServerIron requests a certificate and then verify the certificate against a root-certificate. [edit] Required Certificates

      The following certificates are required to enable the client-authentication functionality:


1 Server Certificate this is the usual server certificate in server profile
2 Server Certificate Key The key corresponding to the Server Certificate
3 CA-Certificate The CA certificate which signed the client certificate


      In addition to the above, it is also assumed that a client certificate has been issued and it is being used by the client.







    ssl profile verisign128
      keypair-file verisign128key
      certificate-file verisign128cert
      cipher-suite all-cipher-suites
      verify-client-cert per-connection require
      ca-cert-file level_0.pem
      session-cache off
    server source-nat-ip port-range 2
    server source-nat-ip port-range 2 for-ssl
    server real rs13
      port http
      port http url "HEAD /"
      port 8081
    server real rs14
      port http
      port http url "HEAD /"
      port 8081
    server virtual vip1
      port http
      bind http rs13 http rs14 http
      port ssl sticky
      port ssl ssl-terminate verisign128
      bind ssl rs13 8081 real-port http rs14 8081 real-port http
    ip address


The command "show ssl authentiation-stat" displays useful information about client-authentication counters.


    SSL# rconsole 1 1
    SSL1/1#sho ssl authentication-stat
    SSL certificate verification counters:
                      Success :         20                    Failure :          3
                 Unknown user :          0           Signature failed :          0
          Certificate expired :          0        Certificate revoked :          0
          Cert not yet valid  :          3      Cert signature failed :          0
    Issuer pubkey decode fail :          0           Self signed cert :          0
        Issuer cert not found :          0    Subject Issuer mismatch :          0
        Certificate untrusted :          0        Cert chain too long :          0
    CRL counters:
              CRL load failed :          0       CRL signature failed :          0
                CRL not found :          0          CRL not yet valid :          0
                  CRL expired :          0



Tips and Caveats

The most common problem encountered is that the system time is not properly configured. Since the default time of the system is January 1, 2000, thus, it fails to authenticate a client.

In such situations, the counter "Cert not yet valid" goes up.

The remedy is to set the time on the system using "clock set"


  SSL#clock set 18:00:00 06-06-07
  Real Time Clock is programmed


Further Reading