How to Enable Client Certificate Authentication on Avi Vantage
Overview
This article explains how to enable client certificate authentication on Avi Vantage. When client certificate authentication is enabled, Avi Vantage validates SSL certificates presented by a client against a trusted certificate authority and a configured client revocation list (CRL). For more information, refer to Client Certificate Validation on Avi Vantage.
Prerequisites
Knowledge of OpenSSL
Instructions
This section covers the following:
- Generating required keys and certificates
- Configuring CRL
- Exporting PFX Key to local workstation
- Creating PKI application profile
- Configuring HTTP profile
- Configuring L4 SSL/TLS (new for 18.2.3)
- Associating virtual service with the required application profile
- Testing client certificate authentication against the virtual service
Generating Keys and Certificates
Creating Directories for Keys and Certificates
Login to the Avi CLI, and use the following mkdir
command to create a directory to store, and execute the keys, and certificates required for client authentication.
Use the cd
command to access the directory.
$ mkdir client-cert-auth-demo
$ cd client-cert-auth-demo
[client-cert-auth-demo] $
Generating Client Certificate (CA) Key
Use the openssl genrsa -out CA.key 2048
command to generate a self-signed CA certificate with 2048-bit encryption.
```[client-cert-auth-demo] $ openssl genrsa -out CA.key 2048 Generating RSA private key, 2048 bit long modulus ………………………………………………………………………….+++ …………………………+++ e is 65537 (0x10001) Generate self-signed CA Cert: [client-cert-auth-demo] $ openssl req -x509 -new -nodes -key CA.key -sha256 -days 1024 -out CA.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Santa Clara Organization Name (eg, company) [Default Company Ltd]:Avi Networks Organizational Unit Name (eg, section) []:Engineering Common Name (eg, your name or your server’s hostname) []:demo.avi.com Email Address []:
**Note**: Leave the email address empty.
#### Generating Client Certificate Signing Request (CSR)
First generate a <code>client.key</code> using the <code>openssl genrsa -out client.key 2048</code> command.
<br>
Next, use the <code>openssl req -new -key client.key -out client.csr</code> command to create a client CSR. Enter all the details as per the requirement.
**Notes**:
* The Common Name should match the hostname or FQDN of your client machine.
* Leave the email address, the challenge password, and the optional company name empty.
Generate client CSR: [client-cert-auth-demo] $ openssl req -new -key client.key -out client.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.’, the field will be left blank. —– Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Santa Clara Organization Name (eg, company) [Default Company Ltd]:Avi Networks Organizational Unit Name (eg, section) []:Engineering Common Name (eg, your name or your server’s hostname) []:client.avi.com Email Address []: Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: An optional company name []:
#### Creating Signed Client Certificate:
Use the following OpenSSL command to create a signed client certificate.
[client-cert-auth-demo] $ openssl x509 -req -in client.csr -CA CA.pem -CAkey CA.key -CAcreateserial - out client.pem -days 1024 -sha256 Signature ok subject=/C=US/ST=California/L=Santa Clara/O=Avi Networks/OU=Engineering/CN=client.avi.com Getting CA Private Key
#### Converting Client Key from PEM to PKCS12 (PFX)
Use the following OpenSSL command to convert the client key format from PEM to PKCS12. Provide an export password that you can remember, for example, avi123.
[client-cert-auth-demo] $ openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile CA.pem Enter Export Password: Verifying - Enter Export Password:
### Configuring CRL
#### Generating CRL
By default, if client certificate validation is enabled in an HTTP profile, the PKI profile used by the virtual service must contain at least one CRL. This CRL is issued by the CA that signed the client certificate.
Use the following OpenSSL command to generate the CRL using the key and the certificate created in the previous steps.
[client-cert-auth-demo] $ openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/index.txt: No such file or directory unable to open ‘/etc/pki/CA/index.txt’ 139687578113952:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen(‘/etc/pki/CA/index.txt’,’r’) 139687578113952:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:</code></pre>
This command may exhibit a few errors. Take the actions as required. For example, the following commands create a file.
/etc/pki/CA/index.txt file and the file /etc/pki/CA/crlnumber with the content 01: [client-cert-auth-demo] $ touch /etc/pki/CA/index.txt [client-cert-auth-demo] $ echo 01 > /etc/pki/CA/crlnumber
#### Re-generating the CRL
Once action is taken as per the error in the previous step, re-run the <code>openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem</code> command to generate the CRL once again.
<pre><code class="language-lua">[client-cert-auth-demo] $ openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf</code></pre>
### Exporting PFX Client Key to the Keychain of Your Local Workstation
Copy the *client.pfx* to your workstation (in this example, a MAC workstation is used), and open it in the keychain.
Enter the export password to add the client PFX key to your local keychain store as shown below.
**Note**: Use the export password provided while converting PEM key to PFX key.
<a href="img/exporting.png"><img src="img/exporting.png" alt="exporting" ></a>
### Creating PKI Application Profile
#### Creating PKI Application Profile Using the Avi UI
1. Navigate to **Applications** > **Templates**, select the **Security** tab, and click on the **PKI Profile** option.
<a href="img/create-pki.png"><img src="img/create-pki.png" alt="create-pki" ></a>
2. Click on the edit icon next to the existing PKI profile, or click **New** to create a new one. In this example, a new PKI profile is created.
Provide the desired name, select **Enable CRL Check**.
<a href="img/pki-name.png"><img src="img/pki-name.png" alt="pki-name" ></a>
3. Select **Add CA**, and click on **Upload Certificate Authority**.
<a href="img/add-new-ca.png"><img src="img/add-new-ca.png" alt="add-new-ca" ></a>
<a href="img/select-upload.png"><img src="img/select-upload.png" alt="select-upload" ></a>
<a href="img/upload-ca.png"><img src="img/upload-ca.png" alt="upload-ca" ></a>
4. Select **Add CRL**, and click on the **Upload File** option to add the CRL file (crl.pem) saved on your local workstation.
<a href="img/add-crl.png"><img src="img/add-crl.png" alt="add-crl" ></a>
<a href="img/upload-file.png"><img src="img/upload-file.png" alt="upload-file" ></a>
<a href="img/upload-crl.png"><img src="img/upload-crl.png" alt="upload-crl" ></a>
5. Click on **Save**.
As shown below, the CA file and the CRL file have been added to the PKI profile (My-PKI-Profile).
The application profile should contain a CRL for each of the intermediate CA in the chain of trust.
#### Creating PKI Application Profile Using the Avi CLI
New object being created admin:My-Avi-Controller-17.2.10: pkiprofile:ca_certs> certificate – Please input the value for field certificate (Enter END to terminate input):—–BEGIN CERTIFICATE—– <————————— Paste cert here MIIFAzCCA+ugAwIBAgIEUdNg7jANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50 cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs r2RsCAwEAAaOCAQkwggEFMA4GA1UdDwEB/wQEAwIBBjAP jbEnmUK+xJPrSFdDcSPE5U6trkNvknbFGe/KvG9CTBaahqkEOMdl8PUM4ErfovrO GhGonGkvG9/q4jLzzky8RgzAiYDRh2uiz2vUf/31YFJnV6Bt0WRBFG00Yu0GbCTy BrwoAq8DLcIzBfvLqhboZRBD9Wlc44FYmc1r07jHexlVyUDOeVW4c4npXEBmQxJ/ B7hlVtWNw6f1sbZlnsCDNn8WRTx0S5OKPPEr9TVwc3vnggSxGJgO1JxvGvz8pzOl u7sY82t6XTKH920l5OJ2hiEeEUbNdg5vT6QhcQqEpy02qUgiUX6C —–END CERTIFICATE—– <————————— Press Enter key after pasting cert END <————————— Type END and press Enter key admin:My-Avi-Controller-17.2.10: pkiprofile:ca_certs> save admin:My-Avi-Controller-17.2.10: pkiprofile> no crl_check <————————— Optional for testing admin:My-Avi-Controller-17.2.10: pkiprofile> save
### Configuring HTTP Profile
1. Navigate to **Templates** > **Profiles**, select the **Application** option, and click on **Create** to create a new HTTP application profile.
Provide the desired name, and set the type to **HTTP**.
2. Select the **Security** tab, and choose the **Required** tab under the **Client SSL Certificate Validation**.
<a href="img/required.png"><img src="img/required.png" alt="required" ></a>
Select the PKI profile created in the previous step, and add the desired HTTP headers that you want to see in the application logs.
<a href="img/application-profile.png"><img src="img/application-profile.png" alt="application-profile" ></a>
### Configuring L4 SSL/TLS Profile
Starting with Avi Vantage release 18.2.3, the Avi CLI interface can be used to configure L4 SSL/TLS application profiles for client SSL certificate validation.
1. Login to the Avi CLI (<code>shell</code>)
2. Edit or create the application profile for your L4 SSL/TLS application. In this example, we've chosen to name the profile <code>my-L4-app-profile</code>.<br>
<pre><code>> [admin:our-controller]: > configure applicationprofile my-L4-app-profile</code></pre>
3. Declare the profile to be type L4.<br>
<pre><code>> [admin:our-controller]: applicationprofile> type application_profile_type_l4</code></pre>
4. Enter <code>tcp_app_profile</code> submode.<br>
<pre><code>> [admin:our-controller]: applicationprofile> tcp_app_profile</code></pre>
5. Enter the <code>ssl_client_certificate_mode</code>. If you key in just a portion of the keyword, followed by two TAB key clicks, three choices will appear.<br>
<pre><code>> [admin:our-controller]: applicationprofile:tcp_app_profile> ssl_client_certificate_mode ssl_client_certificate_
ssl_client_certificate_none Enum option does not have an e_description option
ssl_client_certificate_request Enum option does not have an e_description option
ssl_client_certificate_require Enum option does not have an e_description option</code></pre>
6. Pick the desired validation type, which is explained in a subseqent section of this article.
<pre><code>> [admin:our-controller]: applicationprofile:tcp_app_profile> ssl_client_certificate_mode ssl_client_certificate_require</code></pre>
7. For either <code>ssl_client_certificate_request</code> or <code>ssl_client_certificate_require</code> mode, a PKI profile is required and must exist previous to saving the application profile.<br>
<pre><code>> [admin:our-controller]: applicationprofile:tcp_app_profile> pki_profile_ref my-L4-pki</code></pre>
8. Save the configuration.<br>
<pre><code>> [admin:our-controller]: applicationprofile:tcp_app_profile> save
> [admin:our-controller]: applicationprofile> save
> [admin:our-controller]: </code></pre>
### Associating Application Profile with Virtual Service
1. Navigate to **Applications** > **Virtual Service**, select the desired virtual service. Click on the edit icon, and select the HTTP application profile created in the previous step.
<a href="img/edit-vs.png"><img src="img/edit-vs.png" alt="edit-vs" ></a>
### Testing Client Certificate Authentication against Virtual Service
Execute the following <code>curl</code> command using the certificates generated in the previous section to test the connection to the virtual service.
*10.10.27.101* is the IP address of the virtual service.
$ curl -k -v –cacert ./CA.pem –key ./client.key –cert ./client.pem https://10.10.27.101/ ```