Client Consent Certificates and the ProxySG

Solutions ID:    KB1409
Version:    2.0
Status:    Published
Published date:    03/02/2009
Updated:    04/22/2009

Problem Description

Client Consent Certificates and the ProxySG
Using Client Consent Certificates
You want information about using Client Consent Certificates


The SSL Proxy, in forward proxy deployments, can specify whether a client certificate is required. These certificates are used for user consent, not for authentication. Whether they are needed depends upon local privacy laws.

With client consent certificates, each user is issued a pair of certificates with the corresponding private keys. Both certificates have a meaningful user-readable string in the common name field. One certificate has a string that indicates grant of consent something like: Yes, I agree to SSL interception. The other certificate has a common name indicating denial of consent, something like: No, I do not agree to SSL interception.

Policy is installed on the ProxySG to look for these common names and to allow or deny actions. For example, when the string Yes, I agree to SSL interception is seen in the client certificate common name, the connection is allowed; otherwise, it is denied.

To Configure Client Consent Certificates:

  1. Install the issuer of the client consent certificates as a CA certificate.
  2. In VPM, configure the Require Client Certificate object in the Action column of the SSL Layer.
  3. Configure the Client Certificate object in the Source column to match common names.

Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question