Forum Discussion
Eric_Frankenfie
Nimbostratus
NimbostratusClient SSL Authentication
I have a virtual server using a client SSL profile to offload SSL processing, but I would like to take this a step further and require SSL client authentication to prevent man in the middle attacks. ...
nitass
Employee
EmployeeI got certificate from Client (Bank) which is self signed by openssl from Client LAPTOP. then how can have find root CA to select or how can I find CA as it was self signed.
isn't ca client certificate itself (because it is self-signed)?
[root@centos1 ~] openssl x509 -in client_a.crt -noout -subject -issuer
subject= /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd
issuer= /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd
when I enable ' Client Certificate' > to ignore it works but when I enable ' Client Certificate' to require, it does not work
e.g.
configuration
root@ve10(Active)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.24.9:https
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
myclientssl {
context clientside
}
serverssl {
context serverside
}
tcp { }
}
snat automap
}
root@ve10(Active)(tmos) list ltm profile client-ssl myclientssl
ltm profile client-ssl myclientssl {
ca-file client_a.crt
defaults-from clientssl
peer-cert-mode require
}
self-signed certificate
[root@ve10:Active] config openssl x509 -in /config/ssl/ssl.crt/client_a.crt -noout -subject -issuer
subject= /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd
issuer= /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd
test
[root@centos1 ~] curl -Ik https://172.28.24.9/ --cert client_a.crt --key client_a.key
HTTP/1.1 200 OK
Date: Sun, 16 Nov 2014 05:28:56 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Sun, 09 Feb 2014 08:39:51 GMT
ETag: "41879c-59-2a9c23c0"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8
