FAQ

Is there any support for SSL client certificates prior to SGOS 6.3.1.1?

FAQ ID:    FAQ2215
Version:    7.0
Status:    Published
Published date:    07/31/2013
Updated:    08/01/2013
 

Answer

SGOS 6.3.1.1 introduced support for presenting entire client certificates to SSL servers that require client certificate authentication (see KB4819 for more information). Prior to this release, there indeed was support for client certificates but to a limited extent.

It is possible for the ProxySG on versions prior to 6.3.1.1 to verify the client's certificate and forward it (not the entire certificate but certain attributes) when intercepted on an HTTPS-Reverse-Proxy service as explained in KB1418 and shown in the image below .


However, this article is specific to the ProxySG's ability to send the entire client certificate to a server when required. Prior to 6.3.1.1, sending the entire client certificate to a server that requires it was supported but it was limited to the use of only one certificate per ProxySG unit. Quite simply, when setting a keyring in the SSL client of the ProxySG, it will use the certificate of that keyring whenever a server requests a client certificate. While not accommodating for multiple servers that require different certificates, this functionality is rather ideal for reverse proxy deployments where the back-end server(s) require(s) client certificate authentication and (if more than one server) they all accept the same certificate or root/intermediate CA.

For example: If you created a keyring with a signed certificate by submitting a certificate signing request (CSR) you can associate that keyring with the SSL client to be used for client certificate authentication to the backend server(s). This can be set by going to the Management Console>Configuration>SSL>SSL Client (see image below):

 

*Note: To be clear, the limitation here is that setting the SSL client keyring only allows you to use the same certificate for any and all SSL servers to which the ProxySG connects which require a client certificate.


** Apart from the above scenarios, if you have problems with access to an HTTPS site that requires a client certificate and you're either running a version of SGOS previous to 6.3.1.1 or you don't otherwise have the client certificate to install, then you will need to force the SG to TUNNEL the connection when the server sends a "Certificate Request". For more information on this, see FAQ893.

 

 

 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question