Product Documentation

Enabling Stricter Control on Client Certificate Validation

May 04, 2017

The NetScaler appliance accepts valid Intermediate-CA certificates if they are issued by a single Root-CA. That is, if only the Root-CA certificate is bound to the virtual server, and any intermediate certificate sent with the client certificate is validated by that Root-CA, the appliance trusts the certificate chain and the handshake is successful.

However, if a client sends a chain of certificates in the handshake, none of the intermediate certificates can be validated by using a CRL or OCSP responder unless that certificate is bound to the SSL virtual server. Therefore, even if one of the intermediate certificates is revoked, the handshake is successful. As part of the handshake, the SSL virtual server sends the list of CA certificates that are bound to it. For stricter control, you can configure the SSL virtual server to accept only a certificate that is signed by one of the CA certificates bound to that virtual server. To do so, you must enable the ClientAuthUseBoundCAChain setting in the SSL profile bound to the virtual server. The handshake fails if the client certificate is not signed by one of the CA certificates bound to the virtual server.

For example, say two client certificates, clientcert1 and clientcert2, are signed by the intermediate certificates Int-CA-A and Int-CA-B, respectively. The intermediate certificates are signed by the root certificate Root-CA. Int-CA-A and Root-CA are bound to the SSL virtual server. In the default case (ClientAuthUseBoundCAChain disabled), both clientcert1 and clientcert2 are accepted. However, ifClientAuthUseBoundCAChain is enabled, only clientcert1 is accepted by the NetScaler appliance

To enable stricter control on client certificate validation by using the command line

At the NetScaler command prompt, type:

set ssl profile <name> -ClientAuthUseBoundCAChain Enabled

To enable stricter control on client certificate validation by using the configuration utility

  1. Navigate to System > Profiles, select the SSL Profiles tab, and create an SSL profile, or select an existing profile.
  2. Select Enable Client Authentication using bound CA Chain.