Applies To:Show Versions
- 11.6.4, 11.6.3, 11.6.2, 11.6.1
About client certificate inspection
The Client Cert Inspection access policy item checks the result of the SSL handshake that occurs at the start of a session. It does not, however, negotiate an SSL session. It relies on settings in a client SSL profile that is added to the virtual server. The Client Cert Inspection item can provide the result of the SSL handshake, including certificate revocation status when the client SSL profile specifies a certificate revocation list (CRL).
Task summary for client certificate inspection
To complete this configuration, you need an access profile and a virtual server configured. Checking the validity of a client certificate is very likely to be one of many items you add to an access policy.
Creating a client SSL profile for certificate inspection
- On the Main tab, click The Client profile list screen opens. .
- Click Create. The New Server SSL Profile screen opens.
- In the Name field, type a unique name for the profile.
- From the Parent Profile list, select clientssl.
- Scroll down to the Client Authentication area.
- Select the Custom check box for Client Authentication. The settings become available.
- From the Client Certificate list, select request. Alternatively, select require; however, if you do, the user must provide a valid client certificate or the connection is not allowed.
- Optional: If you imported a CRL, select it from the Certificate Revocation List (CRL) list. If you are using this client SSL profile in conjunction with an access policy that performs OCSP Responder authentication or CRLDP authentication, do not select a CRL.
- Click Finished.
Configuring an access policy to confirm client certificate validity
- On the Main tab, click The Access Profiles List screen opens. .
- In the Access Policy column, click the Edit link for the access profile you want to configure. The visual policy editor opens the access policy in a separate screen.
Click the (+) icon anywhere in the access policy to add
a new action item.
Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- In the search field type client, then select Client Cert Inspection from the results list, and click Add item. A popup Properties screen displays.
- Click Save. The properties screen closes and the visual policy editor displays.
Complete the access policy:
- Add any additional access policy items you require.
- Change the ending from Deny to Allow on any access policy branch on which you want to grant access.
- Click Apply Access Policy to save your configuration.