Jump to content
Welcome to our new Citrix community!

client certificate authentication- NSMPX-11500 NS12.1: Build 51.19.nc


Sambhaji Banapure

Recommended Posts

Hi All, 

 

My requirement is as follow . 

I have client/server(gateway.test.com) who is initiating the session to netscaler VIP(gateway-dev.test.com) on SSL port. 

 

CLIENT/SERVER(GATEWAY.test.com) =SSL-==> NETSCALER VIP===HTTP==>MEMBER 

 

Requirement:-

SSL handshake will be successful only if it is only originated by client/server who is having gateway.test.com.( MAY BE CALLED AS MUTUAL VALIDATION)

SSL handshake should be failed if it is originated by any other machine.

 

Action taken:

1) I have enabled Client-auth ENABLED and certificate MANDATORY in SSL PROFILE.

2) I have bind that SSL profile to vServer (NETSCALER VIP).

3)I have binded certificate (gateway-dev.test.com) to NETSCALER VIP.

4) I have link the binded certificate to INTERMEDIATE CERT.

 

SSL PROFILE CONFIG:-

 

show ssl profile NS_SSL_CLIENT_AUTH
1)      Name: NS_SSL_CLIENT_AUTH        (Front-End)
        SSLv3: DISABLED TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED  TLSv1.3: DISABLED
        Client Auth: ENABLED    Client Cert Required: Mandatory
        Use only bound CA certificates: ENABLED
        Strict CA checks:               NO
        Session Reuse: ENABLED          Timeout: 120 seconds
        DH: DISABLED
        DH Private-Key Exponent Size Limit: DISABLED    Ephemeral RSA: ENABLED          Refresh Count: 0
        Deny SSL Renegotiation          ALL
        Non FIPS Ciphers: DISABLED
        Cipher Redirect: DISABLED
        SSL Redirect: DISABLED
        Send Close-Notify: YES
        Strict Sig-Digest Check: DISABLED
        Zero RTT Early Data: DISABLED
        DHE Key Exchange With PSK: NO
        Tickets Per Authentication Context: 1
        Push Encryption Trigger: Always
        PUSH encryption trigger timeout:        1 ms
        SNI: DISABLED
        OCSP Stapling: DISABLED
        Strict Host Header check for SNI enabled SSL sessions:          NO
        Push flag:      0x0 (Auto)
        SSL quantum size:               8 kB
        Encryption trigger timeout      100 mS
        Encryption trigger packet count:        45
        Subject/Issuer Name Insertion Format:   Unicode

        SSL Interception: DISABLED
        SSL Interception OCSP Check: ENABLED
        SSL Interception End to End Renegotiation: ENABLED
        SSL Interception Maximum Reuse Sessions per Server:     10
        Session Ticket: DISABLED
        HSTS: DISABLED
        HSTS IncludeSubDomains: NO
        HSTS Max-Age: 0
        HSTS Preload: NO
        Skip Client Cert Policy Check: ENABLED


        ECC Curve: P_256, P_384, P_224, P_521

1)      Cipher Name: DEFAULT     Priority :1
        Description: Predefined Cipher Alias

 

CONFUSION:-

1) Do i need to import client certificate into Netscaler ? If yes , how should i do that ? and how should that be used for cert validation.

2) Which Cert I need to bind to VIP ? Root CA or Intermediate or certificate ?

3) Any changes into SSL profile config?

4) Do i need to create any policies which i need to apply for ssl vserrver ?

 

I am stuck in this and trying to get this working. Appreciate your help to proceed further.

 

Regards

Sam

Link to comment
Share on other sites

It has been a while since I configured this first hand, but anyhow let me try answering the questions:

 

1) Do i need to import client certificate into Netscaler ? If yes , how should i do that ? and how should that be used for cert validation.

>> You don't need to import the Client Cert. 

 

2) Which Cert I need to bind to VIP ? Root CA or Intermediate or certificate ?

>> The appliance verifies the client certificate by first forming a chain of certificates, starting with the client certificate and ending with the root CA certificate, so it is always better to have both intermediate and root bound to the Vserver.

 

3) Any changes into SSL profile config?

>> None apart from the usual

 

4) Do i need to create any policies which i need to apply for ssl vserrver ?

>> No

 

 

Link to comment
Share on other sites

13 minutes ago, Sambhaji Banapure said:

@Raman Kaushik  - Thank you so much for your response.

Could you please let me know what certificate need to be installed on the client machine ??

Root /Intermediate cert  of the NETSCALER VIP cert.

 

 

You don't need any certificate on the client apart from the client cert itself (obviously). 

Reason: Client doesn't have to validate anything in the whole process. Client only sends out the client certificate when the Server (NetScaler in this case) requests for it.

 

The only time you need NetScaler's VIP's intermediate/root certificate to be installed on the client machine is when you are using a self signed server certificate on the NetScaler vIP.

If you are NOT using a self signed cert, then you do not need to worry about importing any certs on the client machine.

Link to comment
Share on other sites

Hi team, 

I want to setup mutual authentication, now the connection coming from my URL ( SERVER ) need to be allowed only. rest need to be denied.

Primary> bind ssl profile  NS_SSL_CLIENT_AUTH -ssliCACertkey /nsconfig/ssl/DIRTCA
ERROR: Certificate does not exist

 

Now i have bundled the client cert+Intermediate+root  now i want to bind that to the SSL profile which i created for the mutual authentication.

 

but i am getting following errors ;-

Primary> bind ssl profile  NS_SSL_CLIENT_AUTH -ssliCACertkey /nsconfig/ssl/DIRTCA
ERROR: Certificate does not exist

lb114.dal09 sambhaji.banapure Primary> show ssl profile NS_SSL_CLIENT_AUTH
1)      Name: NS_SSL_CLIENT_AUTH        (Front-End)
        SSLv3: DISABLED TLSv1.0: ENABLED  TLSv1.1: ENABLED  TLSv1.2: ENABLED  TLSv1.3: DISABLED
        Client Auth: ENABLED    Client Cert Required: Mandatory
        Use only bound CA certificates: ENABLED
        Strict CA checks:               NO
        Session Reuse: ENABLED          Timeout: 120 seconds
        DH: DISABLED
        DH Private-Key Exponent Size Limit: DISABLED    Ephemeral RSA: ENABLED          Refresh Count: 0
        Deny SSL Renegotiation          ALL
        Non FIPS Ciphers: DISABLED
        Cipher Redirect: DISABLED
        SSL Redirect: DISABLED
        Send Close-Notify: YES
        Strict Sig-Digest Check: DISABLED
        Zero RTT Early Data: DISABLED
        DHE Key Exchange With PSK: NO
        Tickets Per Authentication Context: 1
        Push Encryption Trigger: Always
        PUSH encryption trigger timeout:        1 ms
        SNI: DISABLED
        OCSP Stapling: DISABLED
        Strict Host Header check for SNI enabled SSL sessions:          NO
        Push flag:      0x0 (Auto)
        SSL quantum size:               8 kB
        Encryption trigger timeout      100 mS
        Encryption trigger packet count:        45
        Subject/Issuer Name Insertion Format:   Unicode

        SSL Interception: ENABLED
        SSL Interception OCSP Check: ENABLED
        SSL Interception End to End Renegotiation: ENABLED
        SSL Interception Maximum Reuse Sessions per Server:     10
        Session Ticket: DISABLED
        HSTS: DISABLED
        HSTS IncludeSubDomains: NO
        HSTS Max-Age: 0
        HSTS Preload: NO
        Skip Client Cert Policy Check: ENABLED


        ECC Curve: P_256, P_384, P_224, P_521

1)      Cipher Name: DEFAULT     Priority :1
        Description: Predefined Cipher Alias

1)      Vserver Name: VS_apigateway.test.com_5111

 

 

set ssl vserver  VS_apigateway.test.com_5111 -sslProfile NS_SSL_CLIENT_AUTH

 

Could you please let me know am i missing something.

 

regards

Sam

 

Link to comment
Share on other sites

 

5 hours ago, Sambhaji Banapure said:

-ssliCACertkey /nsconfig/ssl/DIRTCA

Are you trying to point to the file or the certkey (which should point to the file).

This should be a certkey name and not a path.

 

Try show ssl certkey

OR do the config in the GUI and see what options this field gives you.

 

# examples for a cert  and pfx bundle as a certificate (exact parameters vary depending on cert type)

# for the cert and key files, if a path isn't specified /nsconfig/ssl/ is assumed and file/path names are case sensitive.

# finally you can call the certkey whatever you want; you don't have to include .certkey in entity name...

add ssl certkey mydemo.certkey -cert mydemo.cer -key mydemo.pem -password

add ssl certkey mydemo2.certkey -cert demo.pfx -password -inform PEM -bundle yes

 

bind ssl profile <profilename> -ssliCACertkey <certkeyname>

bind ssl profile <profilename> -ssliCACertkey mydemo.certkey

Link to comment
Share on other sites

Are you trying to point to the file or the certkey (which should point to the file).

This should be a certkey name and not a path. -- I tried CERTKEY NAME but that is not working looks like my CERT is having issue .

 

Could you please guide me how should i proceed further and install cert/intermediate/root is installed and add that as cert key.

 

what i did is - i went to Vi /nsconfig/ssl

created file vi testcertroot.cer

paste Certificate+Intermediate+root

escape ,wq!

now i want to create certkey for that file.

and which i need to bind to SSL profile.

 

Regards

.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...