NetScaler

Client certificate pass-through

September 21, 2020

Contributed by:

The NetScaler appliance can now be configured to pass client certificates through to protected applications that require client certificates for user authentication. The ADC first authenticates the user, then inserts the client certificate into the request and sends it to the application. This feature is configured by adding appropriate SSL policies.

The exact behavior of this feature when a user presents a client certificate depends upon the configuration of the VPN virtual server.

If the VPN virtual server is configured to accept client certificates but not require them, the ADC inserts the certificate into the request and then forwards the request to the protected application.
If the VPN virtual server has client certificate authentication disabled, the ADC renegotiatiates the authentication protocol and reauthenticates the user before it inserts the client certificate in the header and forwards the request to the protected application.
If the VPN virtual server is configured to require client certificate authentication, the ADC uses the client certificate to authenticate the user, then inserts the certificate in the header and forwards the request to the protected application.

In all of these cases, you configure client certificate pass-through as follows.

To create and configure client certificate pass-through by using the command line interface

At the command prompt, type the following commands:

add vpn vserver <name> SSL <IP> 443

For name, substitute a name for the virtual server. The name must contain from one to 127 ASCII characters, beginning with a letter or underscore (_), and containing only letters, numbers, and the underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. For <IP>, substitute the IP address assigned to the virtual server.```
set ssl vserver <name> -clientAuth ENABLED -clientCert <clientcert>
For <name>, substitute the name of the virtual server that you just created. For <clientCert>, substitute one of the following values:
- disabled—disables client certificate authentication on the VPN virtual server.
- mandatory—configures the VPN virtual server to require client certificates to authenticate.
- optional—configures the VPN virtual server to allow client certificate authentication, but not to require it.
bind vpn vserver \<name\> -policy local
For <name>, substitute the name of the VPN virtual server that you created.
bind vpn vserver \<name> -policy cert
For <name>, substitute the name of the VPN virtual server that you created.
bind ssl vserver \<name> -certkeyName \<certkeyname>
For <name>, substitute the name of the virtual server that you created. For <certkeyName>, substitute the client certificate key.
bind ssl vserver \<name> -certkeyName \<cacertkeyname> -CA -ocspCheck Optional
For <name>, substitute the name of the virtual server that you created. For <cacertkeyName>, substitute the CA certificate key.
add ssl action \<actname\> -clientCert ENABLED -certHeader CLIENT-CERT
For <actname>, substitute a name for the SSL action.
add ssl policy \<polname\> -rule true -action \<actname\>
For <polname>, substitute a name for your new SSL policy. For <actname>, substitute the name of the SSL action that you just created.
bind ssl vserver \<name\> -policyName \<polname\> -priority 10
For <name>, substitute the name of the VPN virtual server.

Example

add vpn vserver vs-certpassthru SSL 10.121.250.75 443
set ssl vserver vs-certpassthru -clientAuth ENABLED -clientCert optional
bind vpn vserver vs-certpassthru -policy local
bind vpn vserver vs-certpassthru -policy cert
bind ssl vserver vs-certpassthru -certkeyName mycertKey
bind ssl vserver vs-certpassthru -certkeyName mycertKey -CA -ocspCheck Optional
add ssl action act-certpassthru -clientCert ENABLED -certHeader CLIENT-CERT
add ssl policy pol-certpassthru -rule true -action act-certpassthru
bind ssl vserver vs-certpassthru -policyName pol-certpassthru -priority 10

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Client certificate pass-through

September 21, 2020

Contributed by:

September 21, 2020

Contributed by:

Client certificate pass-through

To create and configure client certificate pass-through by using the command line interface

Example

In this article