Client certificate pass-through
The NetScaler appliance can now be configured to pass client certificates through to protected applications that require client certificates for user authentication. The ADC first authenticates the user, then inserts the client certificate into the request and sends it to the application. This feature is configured by adding appropriate SSL policies.
The exact behavior of this feature when a user presents a client certificate depends upon the configuration of the VPN virtual server.
- If the VPN virtual server is configured to accept client certificates but not require them, the ADC inserts the certificate into the request and then forwards the request to the protected application.
- If the VPN virtual server has client certificate authentication disabled, the ADC renegotiatiates the authentication protocol and reauthenticates the user before it inserts the client certificate in the header and forwards the request to the protected application.
- If the VPN virtual server is configured to require client certificate authentication, the ADC uses the client certificate to authenticate the user, then inserts the certificate in the header and forwards the request to the protected application.
In all of these cases, you configure client certificate pass-through as follows.
To create and configure client certificate pass-through by using the command line interface
At the command prompt, type the following commands:
-
add vpn vserver <name> SSL <IP> 443For name, substitute a name for the virtual server. The name must contain from one to 127 ASCII characters, beginning with a letter or underscore (_), and containing only letters, numbers, and the underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. For <IP>, substitute the IP address assigned to the virtual server.```
-
set ssl vserver <name> -clientAuth ENABLED -clientCert <clientcert>
For <name>, substitute the name of the virtual server that you just created. For <clientCert>, substitute one of the following values:- disabled—disables client certificate authentication on the VPN virtual server.
- mandatory—configures the VPN virtual server to require client certificates to authenticate.
- optional—configures the VPN virtual server to allow client certificate authentication, but not to require it.
-
bind vpn vserver \<name\> -policy local
For <name>, substitute the name of the VPN virtual server that you created. -
bind vpn vserver \<name> -policy cert
For <name>, substitute the name of the VPN virtual server that you created. -
bind ssl vserver \<name> -certkeyName \<certkeyname>
For <name>, substitute the name of the virtual server that you created. For <certkeyName>, substitute the client certificate key. -
bind ssl vserver \<name> -certkeyName \<cacertkeyname> -CA -ocspCheck Optional
For <name>, substitute the name of the virtual server that you created. For <cacertkeyName>, substitute the CA certificate key. -
add ssl action \<actname\> -clientCert ENABLED -certHeader CLIENT-CERT
For <actname>, substitute a name for the SSL action. -
add ssl policy \<polname\> -rule true -action \<actname\>
For <polname>, substitute a name for your new SSL policy. For <actname>, substitute the name of the SSL action that you just created. -
bind ssl vserver \<name\> -policyName \<polname\> -priority 10
For <name>, substitute the name of the VPN virtual server.
Example
add vpn vserver vs-certpassthru SSL 10.121.250.75 443
set ssl vserver vs-certpassthru -clientAuth ENABLED -clientCert optional
bind vpn vserver vs-certpassthru -policy local
bind vpn vserver vs-certpassthru -policy cert
bind ssl vserver vs-certpassthru -certkeyName mycertKey
bind ssl vserver vs-certpassthru -certkeyName mycertKey -CA -ocspCheck Optional
add ssl action act-certpassthru -clientCert ENABLED -certHeader CLIENT-CERT
add ssl policy pol-certpassthru -rule true -action act-certpassthru
bind ssl vserver vs-certpassthru -policyName pol-certpassthru -priority 10