Jump to content
Welcome to our new Citrix community!

mTLS Behind Content Deliver Network


brysojl

Recommended Posts

 

I need to move a currently internet facing mTLS VIP behind our CDN.  The CDN must terminate the handshake with the originating client and pass the client cert data back to the Netscaler VIP in HTTP headers.

I would like to take the certificate data from the headers and then do a certificate revocation check from my Netscaler. Getting the CDN to do the CRL check appears to be beyond their intellectual capacity.

I am passing the certificate subjecCN string in an API call using an httpCallout to an application tier for authentication.  Thus, I need make the HTTP data and make a CRL call after i complete the handshake with the CDN.  Not sure if that is even possible or how to go about it.  Any ideas welcome. 

It's a while since visited the forum.  I had to set my account up again.  If this should go in a different topic let me know

Here are the relevant headers from the CDN

X-SSL-Client-I-DN: CN=**********************,DC=******,DC=******,DC=***
X-SSL-Client-S-DN: emailAddress=************,CN=************,OU=**************,OU=*********,O=*****,L=************,ST=**,C=US
X-SSL-Client-Verify: FAILED:unable to verify the first certificate
X-SSL-Client-Serial: 680**********************************************C
X-SSL-Client-V-Remain: 116
X-SSL-Client-V-End: Jun 10 11:49:56 2024 GMT
X-SSL-Client-V-Start: Apr 12 11:49:56 2022 GMT
X-SSL-Client-Sha1: 299999999999999999999999999921F
X-SSL-Client-Cert: -----BEGIN%20CERTIFICATE-----%0AM#########0A-----END%20CERTIFICATE-----%0A

 

 

Link to comment
Share on other sites

  • 2 weeks later...

thank you so much, Subhojit!  I was reminded that we have a this ATS Profession Services contract......  I created a support case and they are working with on this issue.   

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...