beautypg.com

Nortel Networks NN46120-104 User Manual

Page 108

background image

108

Certificates and Client Authentication

Configure a Virtual SSL Server to Require a Client
Certificate

This section describes how to configure client certificate authentication
when the VPN Gateway is used for SSL acceleration.

Note:

For information about how to configure client certificate

authentication in conjunction with VPN deployment, see the
"Authentication Methods" chapter in the Application Guide for VPN.

As explained previously in this chapter, each virtual SSL server on
the VPN Gateway should be configured to use a server certificate
to authenticate itself towards the clients. Besides, the server can be
configured to require client certificates to authenticate clients before
granting access to the requested service.

When a server is set to require client certificates, a CertificateRequest
message is sent from the server to the client during the SSL handshake.
The client responds by sending its public key certificate in a Certificate
message. After that, the client will send a CertificateVerify message to the
server. The CertificateVerify message is signed by using the clients private
key, and contains important information about the SSL session known
to both the client and the server. Upon receiving the CertificateVerify
message, the virtual SSL server will use the public key from the client
certificate to authenticate the client’s identity.

The virtual SSL server will also check if the certificate the client presents
is signed by an accepted certificate authority (CA). Accepted certificate
authorities are defined by the CA certificates you have listed on the virtual
SSL server. The certificate you use for generating client certificates must
therefore also be specified as a CA certificate on the virtual SSL server.

In addition, the virtual SSL server checks if the client certificate should be
revoked, by comparing the serial number of the presented client certificate
with entries in the certificate revocation list.

The following steps demonstrate how to configure a virtual SSL server to
require client certificates for authentication purposes.

Step

Action

1

Display information about current virtual SSL servers.

This command displays information about all virtual SSL servers
on the VPN Gateway, including installed certificate. Based on

Nortel VPN Gateway

User Guide

NN46120-104

02.01

Standard

14 April 2008

Copyright © 2007-2008 Nortel Networks

.