Assigning Intermediate and Root Certificates to Virtual Services
This article relates to LoadMaster firmware version 7.2.51.
Prior to LoadMaster firmware version 7.2.51, there was no ability to assign intermediate or root certificates to a Virtual Service. The Certificate Authority (CA) for client certificates was kept in the global certificate store, so the following could occur:
- Client certificates from two different CAs are installed on the LoadMaster
- Client A presents a certificate issued from CA 1 and as a network administrator, you only want them to be able to access Virtual Service 1.
- Client B presents a certificate issued from CA 2 and as a network administrator, you only want them to be able to access Virtual Service 2.
- Because both client certificates are validated against the global LoadMaster trust store, client A is also allowed access to Virtual Service 2 and client B is also allowed access to Virtual Service 1.
In LoadMaster firmware version 7.2.51 and above, it is possible to assign intermediate and root certificates to specific Virtual Services. This provides the ability to restrict access. It also enables control on what client certificates are eligible to be used when connecting to a service which is useful in environments with multiple client certificates signed by multiple authorities.
When this is configured correctly for the scenario above - Client A will only have access to Virtual Service 1 and Client B will only have access to Virtual Service 2.
To configure this, follow the steps below:
1. Upload the relevant certificates.
2. Then in the LoadMaster User Interface (UI), go to Virtual Services > View/Modify Services.
3. Click Modify on the relevant Virtual Service.
4. Expand the SSL Properties section.
5. Click Show Intermediate Certificates.
6. Select the relevant certificates from the boxes and click the arrows to remove/assign them from/to the Virtual Service.
7. Then, click Set Intermediate Certificates.
It is not possible to unassign all certificates from the Virtual Service. If you do not want client certificates to be required - select No Client Certificates required in the Client Certificates drop-down list.
For further details on SSL in general, refer to the Long Term Support (LTS) SSL Accelerated Services Feature Description document.
Application Programming Interface (API) Details
You can use the intermediatecerts parameter in the RESTful API modvs command to assign certificates to a Virtual Service.
An example cURL command to assign certificates to a Virtual Service is below:
curl -k -u "<Username>:<Password>" "https://<LoadMasterIPAddress>/access/modvs?vs=<VirtualServiceIPAddress>&port=<VirtualServicePort>&prot=<VirtualServiceProtocol>&IntermediateCerts=<CertificateNameOne>+<CertificateNameTwo>"
You cannot add a certificate to an already assigned list of certificates - all certificates that should be assigned to the Virtual Service must be specified in the one modvs command.
You can run the showvs command to check what intermediate certificates are currently assigned to the Virtual Service, for example:
For further details on the RESTful API in general, refer to the Long Term Support (LTS) RESTful API Interface Description document.
For PowerShell help, run the Get-Help command for the relevant commands.