Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

How to configure the LoadMaster to send a client certificate to the server





How to configure the LoadMaster to present a client certificate to the server.


Product: LoadMaster.

Version: Any.

Platform: Any.

Application: HTTPS-based applications.

Question/Problem Description:

How to configure the LoadMaster to send a client certificate to the server if this is required for a HTTPS application.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  

NOTE: The LoadMaster can only be configured to send a single client certificate to servers in a Virtual Service. If it is required that the LoadMaster handles multiple client certificates as enforced by the server, please configure the Virtual Service as a HTTPS passthrough instead which means disabling SSL Accelaration altogether as shown below:


By default, the LoadMaster does not present any client certificate to a back-end server when establishing the connection (LoadMaster to server). However, if the server requires the LoadMaster to present a client certificate, this behavior can be changed by using Reencryption Usage (LoadMaster WUI > Certificates & Security > SSL Certificates). 

To configure a certificate to be sent to a server as a client certificate in a specific VS we'd need to do the following:

1. Locate the SSL certificate in the SSL certificates tab.

2. Click on Reencryption Usage.

3. Select the Virtual Service (which needs to be configured to Reencrypt the traffic) and use > button to move the IP address to the Assigned VSs box.

4. Save changes.


Once these changes are made, navigate to the VIP > SSL properties and the client certificate will be populated next to Reencryption Client Certificate.



Was this article helpful?
0 out of 0 found this helpful



Jason Phillips

I've updated the config to reflect the following image below. For the field Strict Transport Security Header, I originally had "Add - with include subdomain" and updated to what you have provided, as reflected in the image

The vss shows as up and healthy so I would expect to be able to connect at this point, but still unable to do so. We will continue to t-shoot

I've uploaded the latest config for the ticket.