Product Documentation

Authenticating with Client Certificates

Aug 31, 2016

Web sites that contain sensitive content, such as online banking websites or websites with employee personal information, sometimes require client certificates for authentication. To configure AAA to authenticate users on the basis of client-side certificate attributes, you first enable client authentication on the traffic management virtual server and bind the root certificate to the authentication virtual server. Then, you implement one of two options. You can configure the default authentication type on the authentication virtual server as CERT, or you can create a certificate action that defines what the NetScaler ADC must do to authenticate users on the basis of a client certificate. In either case, your authentication server must support CRLs. You configure the ADC to extract the user name from the SubjectCN field or another specified field in the client certificate.

When the user tries to log on to an authentication virtual server for which an authentication policy is not configured, and a global cascade is not configured, the user name information is extracted from the specified field of the certificate. If the required field is extracted, the authentication succeeds. If the user does not provide a valid certificate during the SSL handshake, or if the user name extraction fails, authentication fails. After it validates the client certificate, the ADC presents a logon page to the user.

The following procedures assume that you have already created a functioning AAA configuration, and therefore they explain only how to enable authentication by using client certificates. These procedures also assume that you have obtained your root certificate and client certificates and have placed them on the ADC in the /nsconfig/ssl directory.

To configure the AAA client certificate parameters by using the command line interface

At the command prompt, type the following commands, in the order shown, to configure the certificate and verify the configuration:
  • add ssl certKey <certkeyName> -cert <certFile> -key <keyFile> -password -inform <inform> -expiryMonitor <expiryMonitor> -notificationPeriod <notificationPeriod>
  • bind ssl certKey <certkeyName> -vServer <certkeyName> -CA -crlCheck Mandatory
  • show ssl certKey [<certkeyName>]
  • set aaa parameter -defaultAuthType CERT
  • show aaa parameter
  • set aaa certParams -userNameField "Subject:CN"
  • show aaa certParams

To configure the AAA client certificate parameters by using the configuration utility

  1. Navigate to Security > AAA - Application Traffic > Virtual Servers.
  2. In the details pane, select the virtual server that you want to configure to handle client certificate authentication, and then click Edit.
  3. On the Configuration page, under Certificates, click the right arrow (>) to open the CA Cert Key installation dialog.
  4. In theCA Cert Key dialog box, click Insert.
  5. In the CA Cert Key - SSL Certificates dialog box, click Install.
  6. In the Install Certificate dialog box, set the following parameters, whose names correspond to the CLI parameter names as shown:
    • Certificate-Key Pair Name*—certkeyName
    • Certificate File Name—certFile
    • Key File Name—keyFile
    • Certificate Format—inform
    • Password—password
    • Certificate Bundle—bundle
    • Notify When Expires—expiryMonitor
    • Notification Period—notificationPeriod
  7. Click Install, and then click Close.
  8. In the CA Cert Key dialog box, in the Certificate list, select the root certificate.
  9. Click Save.
  10. Click Back to return to the main configuration screen.
  11. Navigate to Security > AAA - Application Traffic > Policies > Authentication > CERT.
  12. In the details pane, select the policy you want to configure to handle client certificate authentication, and then click Edit.
  13. In the Configure Authentication CERT Policy dialog, Server drop-down list, select the virtual server you just configured to handle client certificate authentication.
  14. Click OK. A message appears in the status bar, stating that the configuration completed successfully.