Configuring Mutual Authentication Using Third-Party Certificates
Novell Cool Solutions: Feature
Digg This -
Posted: 19 Feb 2004
When configuring SSL Certificate Mutual Authentication, the Client CA must be the same as the server CA. If this is not the case Mutual Authentication will not work. Please pay special attention to this before beginning.
Configuring Mutual Authentication using a third party CA such as Verisign, Thawte, etc... is slightly different than using Novell's CA. If you desire to use Novell's CA, please see TID10066648. The steps in this TID are almost identical to this document, however, they do have some differences. Pay special attention to "Signing the CSR" and "Obtaining a Client Certificate from Verisign."
- Verify date/time settings
- Create a Certificate Signing Request (CSR)
- Signing the CSR
- Create the Mutual Authentication Profile
- Create the Accelerator
- Obtaining a Client Certificate from Verisign
- Import the Private Key (Client Certificate) into Internet Explorer
Check the date/time settings on iChain and the Certificate Server that will be signing the request. If they are not the same (or very close) the certificate may not work.
Using the iChain Web Management utility, create a certificate from the Certificate Maintenance tab on the home page. When creating, choose the defaults. Name it something you'll remember. For the Subject name, make sure it matches the DNS name of the reverse accelerator. This will prevent any errors with the certificate name check. Use an External certificate authority. Fill in the Organization, City/town, State/province and Country fields. Click OK and Apply.
This will create a CSR. Use the view CSR Button to view the CSR in a browser window. The Status will read "CSR in progress" at this point. Click on File > Save as. Name it CSR.B64 so that you can keep track.
Now that you have generated the CSR from the iChain proxy, you need to have it signed by Verisign. Please visit http://www.verisign.com to choose your SSL Certificate product and follow the online instructions for getting your CSR signed. Once your CSR is signed you will receive an email from Verisign with your server certificate and a link to download their trusted root certificate. You will need both of these to complete the certificate creation process that you started in the iChain Web Management tool.
Now that you have the Trusted Root Certificate and Server Certificate from Verisign, switch back to the iChain Web Management Tool. Select the Certificate Maintenance tab on the Home page. Select the certificate that you created before. Click the Store Certificate button at the bottom.
You should have two fields. One for the CA Certificate Contents, and one for the Server Certificate contents. The text of the Trusted Root Certificate you received from Verisign goes into the CA one; The text of the Server Certificate you received from Verisign goes into the Server one. Use WordPad to open, copy and paste the text. Notepad has a tendency to add box characters in place of carriage returns and the certificate will not be valid.
Click Create. Everything should go as expected, and then you click the apply button on the iChain Web Management button.
You are now ready to setup your accelerator for mutual authentication with your Authentication tree (LDAP Tree).
Go to the Configure page, the Authentication Tab. Click Insert. Name the profile (like MUTUAL), and choose the "SSL Certificate Mutual Authentication" radio button. Click OK. There's nothing else to configure.
Now choose the Web Server Accelerator tab. Create a new accelerator the way you would create any accelerator. Set the IP addresses, DNS Names (must match the subject name in step 1), etc. Click the Enable Authentication box. Click the Authentication Options button. Select the Mutual Profile and Add it to the Services Profiles side. Click OK.
You don't need to enable Secure Exchange, but you do need to make sure that you are listening on a unique SSL listening port (for that IP address) and that you choose the name of the certificate that you created in the drop down box. Click OK.
As spoke of in the beginning. In order to Mutual Authentication to work, you need to have a Client Certificate and a Server Certificate. The above instructions were for the Server Certificate. You must now object a Client Certificate from Verisign as well. Please visit, http://www.verisign.com/products/site/faq/sales.html to obtain this. Verisign will then send back a client certificate in PKCS7 format. This certificate is to be installed into the Internet Explorer.
Launch IE and go to File, then Open. Browse to the user's private certificate that you just received from Verisign (the PKCS7 file). Click Open and OK. Click Next to continue importing the certificate. Click Next again to import the selected file. The next screen will prompt for the password that was used to create the user certificate (if a password was used) during the export process. Click Next. The next screen asks where you want to store the certificate. Choose the default to automatically install. Click on Next, then Finish, and Yes to add the certificate.
- Can't see the Certificate to select when configuring the accelerator.
There are constantly problems when copying/pasting the certificate text file. Open the file in Notepad and make sure there are no "box" characters in the text. They may appear at the very end of the text, or the entire text may appear to be only one or two lines; all carriage returns show up as a box character. Delete them and try it again. The certificates need to be in the following format:
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
- There is no prompt to select the proper certificate when you connect to the accelerator. View the User certificate you imported into Internet Explorer and the Organization CA and verify that the Issuer name matches (Tools > Internet Options > Content > Certificates > Highlight the certificate > View > Details Tab.)
- Turn on advanced troubleshooting error messages by adding the following to PROXY.CFG on the iChain box:
Then restart the server. The browser should then receive more meaningful error messages. Do not leave this turned on. Doing so will give "hackers" an advantage.
**Don't forget to configure your ISO object and your ACL rules to allow the user into the protected resource.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com