Nortel Networks NN46120-104 User Manual
Page 108
108
Certificates and Client Authentication
Configure a Virtual SSL Server to Require a Client
Certificate
This section describes how to configure client certificate authentication
when the VPN Gateway is used for SSL acceleration.
Note:
For information about how to configure client certificate
authentication in conjunction with VPN deployment, see the
"Authentication Methods" chapter in the Application Guide for VPN.
As explained previously in this chapter, each virtual SSL server on
the VPN Gateway should be configured to use a server certificate
to authenticate itself towards the clients. Besides, the server can be
configured to require client certificates to authenticate clients before
granting access to the requested service.
When a server is set to require client certificates, a CertificateRequest
message is sent from the server to the client during the SSL handshake.
The client responds by sending its public key certificate in a Certificate
message. After that, the client will send a CertificateVerify message to the
server. The CertificateVerify message is signed by using the clients private
key, and contains important information about the SSL session known
to both the client and the server. Upon receiving the CertificateVerify
message, the virtual SSL server will use the public key from the client
certificate to authenticate the client’s identity.
The virtual SSL server will also check if the certificate the client presents
is signed by an accepted certificate authority (CA). Accepted certificate
authorities are defined by the CA certificates you have listed on the virtual
SSL server. The certificate you use for generating client certificates must
therefore also be specified as a CA certificate on the virtual SSL server.
In addition, the virtual SSL server checks if the client certificate should be
revoked, by comparing the serial number of the presented client certificate
with entries in the certificate revocation list.
The following steps demonstrate how to configure a virtual SSL server to
require client certificates for authentication purposes.
Step
Action
1
Display information about current virtual SSL servers.
This command displays information about all virtual SSL servers
on the VPN Gateway, including installed certificate. Based on
Nortel VPN Gateway
User Guide
NN46120-104
02.01
Standard
14 April 2008
Copyright © 2007-2008 Nortel Networks
.