Client Certificates

The Client Certificates drop-down list is available in the SSL Properties section of the Virtual Service modify screen. To access this screen, in the LoadMaster Web User Interface (WUI), go to Virtual Services > View/Modify Services and click Modify on the relevant Virtual Service.

The possible values that can be set for this field are described below:

  • No Client Certificates required: enables the LoadMaster to accept HTTPS requests from any client. This is the recommended option.
    Note: By default the LoadMaster will accept HTTPS requests from any client. Selecting any of the other values below will require all clients to present a valid client certificate. In addition, the LoadMaster can also pass information about the certificate to the application.
    This option should not be changed from the default of No Client Certificates required. Only change from the default option if you are sure that all clients that access this service have valid client certificates.
  • Client Certificates required: requires that all clients forwarding a HTTPS request must present a valid client certificate. 
  • Client Certificates and add Headers: requires that all clients forwarding a HTTPS request must present a valid client certificate. The LoadMaster also passes information about the certificate to the application by adding headers.
  • The below options send the certificate in its original raw form. The different options let you specify the format that you want to send the certificate in:
    • Client Certificates and pass DER through as SSL-CLIENT-CERT
    • Client Certificates and pass DER through as X-CLIENT-CERT
    • Client Certificates and pass PEM through as SSL-CLIENT-CERT
    • Client Certificates and pass PEM through as X-CLIENT-CERT
Was this article helpful?

0 out of 0 found this helpful

Comments

Avatar
Micki Wulffeld

Can you tell me what it means by "valid client certificate."
I want only to authenticate Clients that have a Local Machine Certificate Issued by my Certificate Authority. The Loadmaster certificate on the VIP is also issued by local CA. I Also installed intetermidiate certs from my infrastructure, but I cant get it to work. does the client certificate need to be a user certificate maybe?

Avatar
support

I also would require a better definition of whats a "valid client certificate"

Avatar
Stefan Klotz

Normally you need to specify a trusted CA on the LM, from which the client-certificates are issued. How will this be handled with KEMP LM, as I don't see such an option?