How to Enable Client Certificate Authentication on Avi Vantage
This article explains how to enable client certificate authentication on Avi Vantage. When client certificate authentication is enabled, Avi Vantage validates SSL certificates presented by a client against a trusted certificate authority and a configured client revocation list (CRL). For more information, refer to Client Certificate Validation on Avi Vantage.
Knowledge of OpenSSL
This section covers the following:
- Generating required keys and certificates
- Configuring CRL
- Exporting PFX Key to local workstation
- Creating PKI application profile
- Configuring HTTP profile
- Configuring L4 SSL/TLS (new for 18.2.3)
- Associating virtual service with the required application profile
- Testing client certificate authentication against the virtual service
Generating Keys and Certificates
Creating Directories for Keys and Certificates
Login to the Avi CLI, and use the following
mkdir command to create a directory to store, and execute the keys, and certificates required for client authentication.
cd command to access the directory.
$ mkdir client-cert-auth-demo $ cd client-cert-auth-demo [client-cert-auth-demo] $
Generating Client Certificate (CA) Key
openssl genrsa -out CA.key 2048 command to generate a self-signed CA certificate with 2048-bit encryption.
[client-cert-auth-demo] $ openssl genrsa -out CA.key 2048 Generating RSA private key, 2048 bit long modulus .....................................................................................+++ ..............................+++ e is 65537 (0x10001) Generate self-signed CA Cert: [client-cert-auth-demo] $ openssl req -x509 -new -nodes -key CA.key -sha256 -days 1024 -out CA.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) :California Locality Name (eg, city) [Default City]:Santa Clara Organization Name (eg, company) [Default Company Ltd]:Avi Networks Organizational Unit Name (eg, section) :Engineering Common Name (eg, your name or your server's hostname) :demo.avi.com Email Address :
Note: Leave the email address empty.
Generating Client Certificate Signing Request (CSR)
First generate a
client.key using the
openssl genrsa -out client.key 2048 command.
Next, use the
openssl req -new -key client.key -out client.csr command to create a client CSR. Enter all the details as per the requirement.
- The Common Name should match the hostname or FQDN of your client machine.
- Leave the email address, the challenge password, and the optional company name empty.
Generate client CSR: [client-cert-auth-demo] $ openssl req -new -key client.key -out client.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) :California Locality Name (eg, city) [Default City]:Santa Clara Organization Name (eg, company) [Default Company Ltd]:Avi Networks Organizational Unit Name (eg, section) :Engineering Common Name (eg, your name or your server's hostname) :client.avi.com Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Creating Signed Client Certificate:
Use the following OpenSSL command to create a signed client certificate.
[client-cert-auth-demo] $ openssl x509 -req -in client.csr -CA CA.pem -CAkey CA.key -CAcreateserial - out client.pem -days 1024 -sha256 Signature ok subject=/C=US/ST=California/L=Santa Clara/O=Avi Networks/OU=Engineering/CN=client.avi.com Getting CA Private Key
Converting Client Key from PEM to PKCS12 (PFX)
Use the following OpenSSL command to convert the client key format from PEM to PKCS12. Provide an export password that you can remember, for example, avi123.
[client-cert-auth-demo] $ openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile CA.pem Enter Export Password: Verifying - Enter Export Password:
By default, if client certificate validation is enabled in an HTTP profile, the PKI profile used by the virtual service must contain at least one CRL. This CRL is issued by the CA that signed the client certificate. Use the following OpenSSL command to generate the CRL using the key and the certificate created in the previous steps.
[client-cert-auth-demo] $ openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/CA/index.txt: No such file or directory unable to open '/etc/pki/CA/index.txt' 139687578113952:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/index.txt','r') 139687578113952:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
This command may exhibit a few errors. Take the actions as required. For example, the following commands create a file.
/etc/pki/CA/index.txt file and the file /etc/pki/CA/crlnumber with the content 01: [client-cert-auth-demo] $ touch /etc/pki/CA/index.txt [client-cert-auth-demo] $ echo 01 > /etc/pki/CA/crlnumber
Re-generating the CRL
Once action is taken as per the error in the previous step, re-run the
openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem command to generate the CRL once again.
[client-cert-auth-demo] $ openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem Using configuration from /etc/pki/tls/openssl.cnf
Exporting PFX Client Key to the Keychain of Your Local Workstation
Copy the client.pfx to your workstation (in this example, a MAC workstation is used), and open it in the keychain. Enter the export password to add the client PFX key to your local keychain store as shown below.
Note: Use the export password provided while converting PEM key to PFX key.
Creating PKI Application Profile
Creating PKI Application Profile Using the Avi UI
Navigate to Applications > Templates, select the Security tab, and click on the PKI Profile option.
Click on the edit icon next to the existing PKI profile, or click New to create a new one. In this example, a new PKI profile is created. Provide the desired name, select Enable CRL Check.
Select Add CA, and click on Upload Certificate Authority.
Select Add CRL, and click on the Upload File option to add the CRL file (crl.pem) saved on your local workstation.
Click on Save. As shown below, the CA file and the CRL file have been added to the PKI profile (My-PKI-Profile). The application profile should contain a CRL for each of the intermediate CA in the chain of trust.
Creating PKI Application Profile Using the Avi CLI
[admin:My-Avi-Controller-17.2.10]: > configure pkiprofile test [admin:My-Avi-Controller-17.2.10]: pkiprofile> ca_certs New object being created [admin:My-Avi-Controller-17.2.10]: pkiprofile:ca_certs> certificate -- Please input the value for field certificate (Enter END to terminate input):-----BEGIN CERTIFICATE----- <————————— Paste cert here MIIFAzCCA+ugAwIBAgIEUdNg7jANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50 cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs r2RsCAwEAAaOCAQkwggEFMA4GA1UdDwEB/wQEAwIBBjAP jbEnmUK+xJPrSFdDcSPE5U6trkNvknbFGe/KvG9CTBaahqkEOMdl8PUM4ErfovrO GhGonGkvG9/q4jLzzky8RgzAiYDRh2uiz2vUf/31YFJnV6Bt0WRBFG00Yu0GbCTy BrwoAq8DLcIzBfvLqhboZRBD9Wlc44FYmc1r07jHexlVyUDOeVW4c4npXEBmQxJ/ B7hlVtWNw6f1sbZlnsCDNn8WRTx0S5OKPPEr9TVwc3vnggSxGJgO1JxvGvz8pzOl u7sY82t6XTKH920l5OJ2hiEeEUbNdg5vT6QhcQqEpy02qUgiUX6C -----END CERTIFICATE----- <————————— Press Enter key after pasting cert END <————————— Type END and press Enter key [admin:My-Avi-Controller-17.2.10]: pkiprofile:ca_certs> save [admin:My-Avi-Controller-17.2.10]: pkiprofile> no crl_check <————————— Optional for testing [admin:My-Avi-Controller-17.2.10]: pkiprofile> save
Configuring HTTP Profile
Navigate to Templates > Profiles, select the Application option, and click on Create to create a new HTTP application profile. Provide the desired name, and set the type to HTTP.
Select the Security tab, and choose the Required tab under the Client SSL Certificate Validation.
Select the PKI profile created in the previous step, and add the desired HTTP headers that you want to see in the application logs.
Configuring L4 SSL/TLS Profile
Starting with Avi Vantage release 18.2.3, the Avi CLI interface can be used to configure L4 SSL/TLS application profiles for client SSL certificate validation.
- Login to the Avi CLI (
- Edit or create the application profile for your L4 SSL/TLS application. In this example, we’ve chosen to name the profile
> [admin:our-controller]: > configure applicationprofile my-L4-app-profile
- Declare the profile to be type L4.
> [admin:our-controller]: applicationprofile> type application_profile_type_l4
> [admin:our-controller]: applicationprofile> tcp_app_profile
- Enter the
ssl_client_certificate_mode. If you key in just a portion of the keyword, followed by two TAB key clicks, three choices will appear.
> [admin:our-controller]: applicationprofile:tcp_app_profile> ssl_client_certificate_mode ssl_client_certificate_ ssl_client_certificate_none Enum option does not have an e_description option ssl_client_certificate_request Enum option does not have an e_description option ssl_client_certificate_require Enum option does not have an e_description option
- Pick the desired validation type, which is explained in a subseqent section of this article.
> [admin:our-controller]: applicationprofile:tcp_app_profile> ssl_client_certificate_mode ssl_client_certificate_require
- For either
ssl_client_certificate_requiremode, a PKI profile is required and must exist previous to saving the application profile.
> [admin:our-controller]: applicationprofile:tcp_app_profile> pki_profile_ref my-L4-pki
- Save the configuration.
> [admin:our-controller]: applicationprofile:tcp_app_profile> save > [admin:our-controller]: applicationprofile> save > [admin:our-controller]:
Associating Application Profile with Virtual Service
Navigate to Applications > Virtual Service, select the desired virtual service. Click on the edit icon, and select the HTTP application profile created in the previous step.
Testing Client Certificate Authentication against Virtual Service
Execute the following
curl command using the certificates generated in the previous section to test the connection to the virtual service.
10.10.27.101 is the IP address of the virtual service.
$ curl -k -v --cacert ./CA.pem --key ./client.key --cert ./client.pem https://10.10.27.101/