Client SSL Certificate Validation
Avi Vantage can validate SSL certificates presented by clients against a trusted certificate authority (CA) and a configured certificate revocation list (CRL). Certificate information is passed to the server through various headers through additional options. For certificate authentication, an HTTP application profile and an associated public key infrastructure (PKI) profile have to be configured. Starting with Avi Vantage release 18.2.3, this has been extended to L4 SSL/TLS applications (via the Avi CLI). This article explains the application profiles and PKI profile configurations.
HTTP Application Profile
To configure an HTTP application profile:
- Navigate to Templates > Profiles > Application.
- Click on Create to create a new HTTP application profile with type as HTTP. To know more, refer to Configuring HTTP Profile
Note: The Client SSL Certificate Validation section of the UI displays three options for validation. Those options are discussed later in this article.
Avi Vantage optionally inserts the client’s certificate, or parts of it, into a new HTTP header to be sent to the server. To insert multiple headers, the plus icon is used. These inserted headers are in addition to any headers added or manipulated by the more granular HTTP policies or DataScripts.
- HTTP Header Name — Name of the headers to be inserted into the client request that is sent to the server.
- HTTP Header Value — Used with the HTTP Header Name field, this field is used to determine the field of the client certificate to insert into the HTTP header sent to the server. Several options are more general, such as the SSL Cipher, which lists the ciphers negotiated between the client and Avi Vantage. These generic headers may be used for non-client certificate connections by setting the Validation Type to Request.
L4 SSL/TLS Application Profile
Starting with Avi Vantage release 18.2.3 client certificate verification on L4 SSL/TLS applications is supported. Refer to the Configuring L4 SSL/TLS Profile section of the How to Enable Client Certificate Authentication on Avi Vantage article.
The PKI profile:
- Contains the configured certificate authorities and CRL. A PKI profile is necessary if the Validation Type is set to Request or Require.
- Supports configuring and updating the client certificate revocation lists. It is used to validate clients or server certificates.
Navigate to Applications > Templates, select the Security tab, and click on the PKI Profile option.
Refer to Create a PKI Profile to know more.
Client Certificate Validation: Avi Vantage validates client access to an HTTPS virtual service via client SSL certificates. Clients will present their certificate when accessing the virtual service. This will be matched against a CRL. If the certificate is valid and the clients are not on the list of revoked certificates, they will be allowed access to the HTTPS virtual server. Client certificate validation is enabled via the HTTP profile’s Authentication tab. The HTTP profile will reference the PKI profile for specifics on the CA and the CRL. A single PKI profile may be referenced by multiple profiles.
Server Certificate Validation: Avi Vantage can validate the certificate presented by a server, such as when an HTTPS health check is sent to a server. Server certificate validation also uses a PKI profile to validate the certificate presented. Server certificate validation can be configured by enabling SSL within the desired pool, then specifying the PKI Profile.
PKI Profile Settings
The PKI profile settings are explained below.
- Name — The unique name for the profile.
- Ignore Peer Chain — If this option is enabled, the certificate validation will ignore any intermediate certificates that might be presented. The presented certificate is only checked against the final root certificate for revocation. This option is disabled by default. When disabled, the certificate must present a full chain which is traversed and validated, starting from the client or server presented certificate to the terminal root certificate. Each intermediate certificate must be validated and matched against a CA certificate included in the PKI profile.
- Host Header Check — If enabled, this option ensures the virtual service’s VIP field, when resolved using DNS, matches the domain name field of the certificate presented from a server to Avi Vantage when back-end SSL is enabled. If the server’s certificate does not match, it is considered insecure and marked down.
- Enable CRL Check — If this option is selected, the client’s certificate will be verified against the certificate revocation list.
For more information, refer to Create a PKI Profile.
Add a new certificate from a trusted Certificate Authority. If more than one CA are included in the PKI profile, then a client’s certificate should match one of them to be valid. A client’s certificate must match the CA as the root of the chain. If the presented certificate has an intermediate chain, then each link in the chain must be included here. Enable Ignore Peer Chain to ignore intermediate validation checking.
Certificate Revocation List
The CRL allows invalidation of certificates (serial number). The revocation list may be updated by manually uploading a new CRL, or by periodically downloading from a CRL server. If a client or server certificate is found to be in the CRL, the SSL handshake will fail, with a resulting log created to provide further information about the handshake.
- Leaf Certificate CRL validation only — When enabled, Avi Vantage will only validate the leaf certificate against the CRL. The leaf is the next certificate in the chain up from the client certificate. A chain may consist of multiple certificates. To validate all certificates against the CRL, disable this option. Disabling this option means you need to upload all the CRLs issued by each certificate in the chain. Even if one CRL is missing, the validation process will fail.
- Server URL — Specify a server from which CRL updates can be downloaded. Access to this server will be done from the Avi Controller IP addresses, which means they will require firewall access to this destination. The CRL server may be identified by an IP address or a fully qualified domain name (FQDN) along with an HTTP path, such as https://www.avinetworks.com/crl.
- Refresh Time — After the elapsed period of time, Avi Vantage will automatically download an updated version of the CRL. If no time is specified, Avi Vantage will download a new CRL at the current CRL’s lifetime expiration.
- Upload Certificate Revocation List File — Navigate to a CRL file for upload. Subsequent CRL updates can be done by manually uploading newer lists, or configuring the Server URL and Refresh Time to automate the process.