In this article, we will configure Edge Security Pack (ESP) using client certificates and discuss some of the requirements and common issues.
When using Client Certificates with ESP you can not create a Virtual Service (VS) that contains Sub Virtual Services (SubVS) containing different Client Side Authentication methods. This is because the Secure Sockets Layer (SSL) process takes place on the top level VS.
For example, if you have various SubVS that are configured for Forms Based authentication, then these clients are forced to present a client certificate.
The only server side authentication method available with Client Certs is Kerberos.
For instructions on how to configure Kerberos refer to the Kerberos Constrained Delegation Feature Description.
1. Create Client Certificate
This step is not necessary if you already have a client cert from your own Certificate Authority (CA), but is useful for testing purposes.
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Create Client Key
openssl genrsa -des3 -out client.key 4096
Create Client CSR
openssl req -new -key client.key -out client.csr
Sign Cert with SHA 2
openssl x509 -sha256 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 05 -out client.crt
2. Import Client Cert Into Browser
When importing your client certificate, ensure that the cert contains the private key.
Do this by converting the certificate and key to a PFX.
Convert to PFX
openssl pkcs12 -export -inkey client.key -in client.crt -out Client2.p12
Import the certificate into a browser, such as Chrome, by navigating to:
Settings > Advanced > Manage certificates > Peronal.
If using your own CA you will be required to import your CA cert into the Trusted Root Store.
3. Import CA Root Cert into LoadMaster
In order for the LoadMaster to verify the client certificate the CA root certificate must be imported onto the LoadMaster under Certificates & Security > Intermediate Certs.
If using 3rd party CA, an import of the associated intermediate certificates is also required.
4. Configure Client Certificate SSO
Virtual Services > Manage SSO > Add new Client Side Configuration
Information on configuring an LDAP EndPoint can be found here: How to Configure An LDAP Endpoint
Allow fallback to check Common Name
If the username is contained in the common name, and not the SAN Name, enable Allow fallback to check Common Name.
Check Certificate to User Mapping
When this option is enabled, in addition to checking the validity of the client certificate, the client certificate is also be checked against the altSecurityIdentities (ASI) attribute of the user in Active Directory.
If this option is enabled, and the check fails, the login attempt will fail. If this option is not enabled, only a valid client certificate (with the username in the SubjectAltName (SAN)) is required to log in, even if the ASI attribute for the user is not present or not matching.
5. Configure Virtual Service
Modify VS > ESP > Client Authentication Mode > Client Certificates.
SSL Acceleration must be enabled on the VS under SSL Properties.
For further information on troubleshooting Client Certs please see: ESP Client Certificate SSO Debug Trace