Jump to content
Welcome to our new Citrix community!

How to extract and check SubjectCN from client certificate ?


Henrik Frisk

Recommended Posts

Hi.

I'm working on a task where the client is required to deliver a valid client certificate.

In a sense it's actually already working. The client is delivers the client certificate and the VPX have the RootCA certificate installed so it can be validated. This works fine.

 

But I would like not only to check for a valid client certificate, but also check for a specific string in SubjectCN. - And that part I have not found a solution to.

 

What I would like to achieve:

 

Extract SubjectCN from client cert.

IF SubjectCN  = 'xxyy' THEN

- Forward traffic

ELSE

- Drop

 

So far I have tried with a Authentication Policy, but I don't know if this is the way to go?

Something like:

CLIENT.SSL.CLIENT_CERT.SUBJECT.EQ("MyStringCheck")

If true -> forward to lb.server (behind a content-switch).

 

Regards

Henrik

 

Link to comment
Share on other sites

  • 2 years later...

Hi

To do what you want, you must enable client auth on the VIP\CS, bind the issuing CA certificate to the VIP.

Finally you will have to apply some responder policies to the VIP\CS to verify the subject of the client crts

 

- Responder with RESET action for all CRT 

add responder policy resp_pol_RESET TRUE RESET

 

-Responder with No OP (no drop or no reset action) 
add responder policy ssl_check_cl_crt_subject_xxyy "CLIENT.SSL.CLIENT_CERT.SUBJECT.EQ(\"xxyy\")" NOOP
 

- Bindings to VIP\CS with high priority the check and low priority the RESET (prioriy low = high integer number, prioriy high= low integer number)

bind lb vserver vip_name_SSL_443 -policyName ssl_check_cl_crt_subject_xxyy -priority 100 -gotoPriorityExpression END -type REQUEST
bind lb vserver gateway-api-amministrazione-coll.credem.it_SSL_443 -policyName resp_pol_RESET -priority 10000 -gotoPriorityExpression END -type REQUEST

 

You can deploy one responder for every subjects or concatenate expressions with OR operator on same responder.

 

Thats all

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...