How do I enable SSL certificate based client authentication on NetScaler?
Use Case
Company ABC is hosting a web application and wants to ensure that the clients who try connecting
to it are authenticated even before they are allowed to see the landing page.
Quick recap of what SSL Certificate based Client Authentication is
SSL Client authentication lets you authenticate the users who are trying to gain access to resource
protected over SSL. It helps ensuring that the person connecting is the same person as he claims to
be and is an authorized person to gain access to your services.
In a usual SSL scenario, during a TLS handshake, the client authenticates the server by verifying the
server certificate that is sent to it during the handshake. However the server does not always
authenticate the client's identity unless we explicitly configure this by enabling client authentication
on the server.
In a scenario where SSL Certificate based client authentication is enabled, the server continues to
send its certificate to the client as a part of TLS Handshake, but along with that it also sends a
message to the client requesting for the client certificate. The client thus comes to know that client
authentication is enabled and sends across its certificate to the server for verification. The server
then authenticates the client by validating the information in certificate such as the expiry date of
certificate, the signature, certificate chain to identify if the client certificate is issued by trusted CA
and other optional configurations such as OCSP/CRL to ensure that certificate is not revoked.
Note: Client Authentication can only be enabled on a server (vserver on NetScaler). The client cannot
request for itself to be authenticated.
Only if the client authentication is successful, will the client be allowed to access the service. If this
authentication fails, the connection is terminated.
What role does NetScaler play in SSL Cert based Client Authentication?
In an SSL Offload scenario, we can enable Client Authentication on NetScaler. This configuration is
done on an SSL virtual server or SSL transparent service to which a client will connect.
Note: Client Authentication needs to be enabled individually on each SSL virtual server or
transparent SSL service.
Configuration Steps for enabling SSL certificate based Client Authentication on NS
Step 1: Configure SSL Offloading
Step a: Enable SSL Offloading feature
Step b: Add an SSL virtual server
Step c: Add HTTP/SSL based services
Step d: Bind the HTTP/SSL services to the SSL virtual server
Step e: Add a certificate-key pair
Step f: Bind the SSL key pair (server certificate) to the SSL virtual server
For SSL Offload configuration details you can check the link:
http://docs.citrix.com/en-us/netscaler/11/traffic-management/ssl/config-ssloffloading.html
Step 2: Enable Client Authentication on the SSL Virtual Server
On NS GUI: Go to Traffic Management >> Load Balancing >> Virtual Servers >> Select the SSL vserver
on which you wish to enable Client Auth >> Edit >> SSL Parameters.
Under SSL Parameters, we need to enable Client Authentication parameter by checking the box. You
can set it to be either optional or mandatory.
Optional indicates that the NetScaler will request for the client certificate but will proceed with the
SSL transaction even if the client authentication fails due to an invalid certificate.
Mandatory indicates that the NetScaler terminates the SSL handshake if the client certificate
authentication fails.
On NS-CLI, you can use the command
set ssl vserver <vServerName> -clientAuth ENABLED -clientCert (MANDATORY | OPTIONAL)]
This step ensures that when a user browses to this SSL virtual server, he will now be prompted to
choose a certificate to use for authentication.
Note: If using SSL Profile, you will need to Enable Client Authentication parameter under SSL Profile.
Step 3: Bind the CA certificate to the SSL virtual server.
Binding the CA certificate to the SSL virtual server is necessary as the client (user) certificate will be
validated against this CA certificate. The CA certificate must be of the same CA that has issued the
client certificate. It can either be root CA certificate or the intermediate CA certificate but the
complete chain must exist on NetScaler and must be bound to the SSL vserver.
Go to Traffic Management >> Load Balancing >> Virtual Servers >> Select the SSL vserver on which
you wish to bind the CA cert to >> Edit
Go to CA Certificate section of the virtual server and bind the trusted CA’s root certificate to the
vserver.
If the client certificate is issued by an intermediate CA, you need to upload the intermediate CA’s
certificate as well on the NetScaler. Uploading the complete chain of certificates up to the root CA
certificate is necessary to avoid a situation wherein a valid client certificate is denied due to a
missing certificate in the certificate chain.
These chain of certificates can be bound to SSL virtual server in any order as the NetScaler internally
re-orders them correctly during client certificate validation.
To view the complete certificate chain you can refer to the link: http://docs.citrix.com/enus/netscaler/11/traffic-management/ssl/manage-certs/display-cert-chain.html
Using NS CLI,
bind ssl vserver <vServerName>@ ((-policyName <string> [-priority <positive_integer>] [gotoPriorityExpression <expression>] [-invoke (<labelType> <labelName>) ] ) | ((-certkeyName
<string>[(-CA [-crlCheck ( Mandatory | Optional ) |-ocspCheck ( Mandatory | Optional )] [skipCAName]) | -SNICert] ) | -cipherName <string> | -eccCurveName <eccCurveName>))
Once this step is complete, when a user will browse to this SSL based virtual server he will now be
prompted with a list of certificates to choose from for authentication, however only those client
certificates that are signed by the CA that is bound to this SSL virtual server are presented as options
to choose from.