Client Certificate Constrained Delegation

Here's what you do:

Prerequisites

• Create a CA bundle - this is used to validate the client certificate
• Import server cert and key - this is the typical reverse proxy server certificate
• Import CA cert and key - this is the CA that forges the client certificate

Client SSL Profile

• Configuration section
  • Import server cert and key (and optionally a CA chain)
• Client Authentication section
  • Client Authentication: request or require
  • Trusted Certificate Authorities: attach the CA bundle
  • Advertised Certificate Authorities: optionally attach a CA bundle
• Client Certificate Constrained Delegation section
  • Client Certificate Constrained Delegation: enabled
  • OCSP: optional
  • Unknown OCSP response control: optional

Server SSL profile

• Configuration section
  • Certificate: required (can be default)
  • Key: required (can be default)
  • Chain: required if signing with a subordinate CA
• Client Certificate Constrained Delegation section
  • Client Certificate Constrained Delegation: enabled
  • CA certificate: signing CA cert
  • CA key: signing CA key
  • CA passphrase: optional
  • Certificate lifespan: set preferred time (certs are not cached)
  • Certificate extensions: set extensions to copy from original cert
  • Custom extension: optional (any client cert OIDs to copy)

The certificate that you insert into the server SSL profile is used as a template for the forged client cert. The private key is used to generate the CSR for the forged client cert.