CirrostratusHi, I have a client which should be authenticated with specific client certificate. Can I import the client certificate and select under "Trusted Certificate Authorities"? and leave the advertised CA blank in the client ssl profile? will it work?
NoctilucentEnable below setting in SSL profile. Hope it will work,
Go to SSL profile “abc_SSL_clientssl” Configuration --> Advanced
Client Authentication --> enable Checkbox
Client Certificate --> Request
Frequency --> Always(Always: Specifies that the system authenticates the client once for an SSL session and also upon reuse of that session) or Once
Trusted Certificate Authorities --> Select “CA bundle cert” from Drop down list.
Advertised Certificate Authorities --> None
Click on update. Attached SSL profile to VIP
EmployeeIf I may add:
Client Certificate indicates that you want to request a client cert during the TLS handshake. Both Request and Require settings enable this, and both will attempt to validate the client certificate, but the Request setting will "soft fail" if the certificate cannot be validated, while the Require setting will "hard fail". If the client must present a valid certificate, then you'd want to use the Require option.
Frequency indicates whether or not you want to store information about the client cert (once), or require a full TLS handshake with mutual authentication at every new TCP connection (always). The Always setting is technically more secure, but comes at the price of performance.
Trusted Certificate Authorities this is the mechanism to establish the trust portion of the client certificate validation. This will either be a single CA certificate or a bundle of CA certificates (a text file with the concatenation of multiple CA certificates) that must contain all of the CA certificates (a root and any number of subordinates) required to build a complete chain from the client's certificate, through its immediate issuer, and each chained issuer up to the self-signed root. So if the client cert if issued by a subordinate, then that subordinate and the root must be in the bundle.
Advertised Certificate Authorities provides a way to "hint" to the client from which CA it'll accept a certificate. In the case where the client may possess multiple certificates from different issuers, this hint will generally cause the browser to limit cert selection to only the ones in the path of the CAs in this bundle file.
Now, you asked if you can force a client to authenticate with a specific client certificate. Assuming the client has more than once certificate, and each is from a different issuer, the Advertised Certificate Authorities bundle may be the easiest way to filter that list. And the Trusted Certificate Authorities bundle can prevent validation of certs fro other authorities. If the client has multiple certs from the same CA, it's a little harder since the client ultimately has to make the choice.