Forum Discussion
SIP_354925
Nimbostratus
NimbostratusClient Certificate Constrained Delegation
I am trying to configure "client certificate constrained delegation" new in 13.1.x.x. This is used for 2 way SSL authentication. I am trying to add a subordinate CA certificate and key to the servers...
Kevin_Stewart
Employee
EmployeeHere's what you do:
Prerequisites
- Create a CA bundle - this is used to validate the client certificate
- Import server cert and key - this is the typical reverse proxy server certificate
- Import CA cert and key - this is the CA that forges the client certificate
Client SSL Profile
-
Configuration section
- Import server cert and key (and optionally a CA chain)
-
Client Authentication section
- Client Authentication: request or require
- Trusted Certificate Authorities: attach the CA bundle
- Advertised Certificate Authorities: optionally attach a CA bundle
-
Client Certificate Constrained Delegation section
- Client Certificate Constrained Delegation: enabled
- OCSP: optional
- Unknown OCSP response control: optional
Server SSL profile
-
Configuration section
- Certificate: required (can be default)
- Key: required (can be default)
- Chain: required if signing with a subordinate CA
-
Client Certificate Constrained Delegation section
- Client Certificate Constrained Delegation: enabled
- CA certificate: signing CA cert
- CA key: signing CA key
- CA passphrase: optional
- Certificate lifespan: set preferred time (certs are not cached)
- Certificate extensions: set extensions to copy from original cert
- Custom extension: optional (any client cert OIDs to copy)
The certificate that you insert into the server SSL profile is used as a template for the forged client cert. The private key is used to generate the CSR for the forged client cert.