Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

How to Configure Client Certificate Authentication with ESP

Scope

In this article, we will configure Edge Security Pack (ESP) using client certificates and discuss some of the requirements and common issues. 

When using Client Certificates with ESP you can not create a Virtual Service (VS) that contains Sub Virtual Services (SubVS) containing different Client Side Authentication methods. This is because the Secure Sockets Layer (SSL) process takes place on the top level VS.

For example, if you have various SubVS that are configured for Forms Based authentication, then these clients are forced to present a client certificate.

 

Kerberos

As of firmware 7.2.54 authentication modes available with Client Certs are Kerberos and none.

For instructions on how to configure Kerberos refer to the Kerberos Constrained Delegation Feature Description.

 

1. Create Client Certificate

This step is not necessary if you already have a client cert from your own Certificate Authority (CA), but is useful for testing purposes. 

 

Create CA

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

 

Create Client Key

openssl genrsa -des3 -out client.key 4096

 

Create Client CSR

openssl req -new -key client.key -out client.csr

  

Sign Cert with SHA 2

openssl x509 -sha256 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 05 -out client.crt

 

  Convert to PFX

openssl pkcs12 -export -inkey client.key  -in client.crt -out Client2.p12

 

 

2. Import Client Cert Into Browser

When importing your client certificate, ensure that the cert contains the private key. 

Do this by converting the certificate and key to a PFX. See step above.

 

Import the certificate into a browser, such as Chrome, by navigating to:

Settings > Advanced > Manage certificates > Personal.

If using your own CA you will be required to import your CA cert into the Trusted Root Store.

 

3Import CA Root Cert into LoadMaster

In order for the LoadMaster to verify the client certificate the CA root certificate must be imported onto the LoadMaster under Certificates & Security > Intermediate Certs.

If using 3rd party CA, an import of the associated intermediate certificates is also required.

 

 

4. Configure Client Certificate SSO

Navigate to: Virtual Services > Manage SSO > Add new Client Side Configuration

 

LDAP EndPoint 

Information on configuring an LDAP EndPoint can be found here: How to Configure An LDAP Endpoint

 

Allow fallback to check Common Name

If the username is contained in the common name, and not the SAN Name, enable Allow fallback to check Common Name.

 

Check Certificate to User Mapping

When this option is enabled, in addition to checking the validity of the client certificate, the client certificate is also be checked against the altSecurityIdentities (ASI) attribute of the user in Active Directory.

If this option is enabled, and the check fails, the login attempt will fail. If this option is not enabled, only a valid client certificate (with the username in the SubjectAltName (SAN)) is required to log in, even if the ASI attribute for the user is not present or not matching.

 

 

 5. Configure Virtual Service

 Modify VS > ESP > Client Authentication Mode > Client Certificates. 

 SSL Acceleration must be enabled on the VS under SSL Properties.  

 

For further information on troubleshooting Client Certs please see: ESP Client Certificate SSO Debug Trace


Was this article helpful?
0 out of 0 found this helpful

Comments