Page 1 of 11
How to Enable Client Certificate Authentication on Avi Vantage view online Overview This article explains how to enable client certificate authentication on an Avi Vantage. When client certificate authentication is enabled, Avi Vantage validates SSL certificates presented by a client against a trusted certificate authority and a configured client revocation list (CRL). For more information, refer to Client Certificate Validation on Avi Vantage. Prerequisites Knowledge of OpenSSL Instructions This section covers the following: * Generating required keys and certificates * Configuring CRL * Exporting PFX Key to local workstation * Creating PKI application profile * Configuring HTTP profile * Associating virtual service with the required application profile * Testing client certificate authentication against the virtual service Generating Keys and Certificates Creating Directories for Keys and Certificates Login to the Avi CLI, and use the following mkdir command to create a directory to store, and execute the keys, and certificates required for client authentication. Use the cd command to access the directory. $ mkdir client-cert-auth-demo $ cd client-cert-auth-demo [client-cert-auth-demo] $ Generating Client Certificate (CA) Key Use the openssl genrsa -out CA.key 2048 command to generate a self-signed CA certificate with 2048 bit encryption. [client-cert-auth-demo] $ openssl genrsa -out CA.key 2048 Generating RSA private key, 2048 bit long modulus...+++...+++ e is 65537 (0x10001) Generate self-signed CA Cert: [client-cert-auth-demo] $ openssl req -x509 -new -nodes -key CA.key -sha256 -days 1024 -out CA.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank Copyright 2019 Avi Networks, Inc. Page 2 of 11
For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Santa Clara Organization Name (eg, company) [Default Company Ltd]:Avi Networks Organizational Unit Name (eg, section) []:Engineering Common Name (eg, your name or your server's hostname) []:demo.avi.com Email Address []: Note: Leave the email address empty. Generating Client Certificate Signing Request (CSR) First generate a client.key using the openssl genrsa -out client.key 2048 command. Next, use the openssl req -new -key client.key -out client.csr command to create a client CSR. Enter all the details as per the requirement. Notes: * The Common Name should match the hostname or FQDN of your client machine. * Leave the email address, the challenge password, and the optional company name empty. Generate client CSR: [client-cert-auth-demo] $ openssl req -new -key client.key -out client.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Santa Clara Organization Name (eg, company) [Default Company Ltd]:Avi Networks Organizational Unit Name (eg, section) []:Engineering Common Name (eg, your name or your server's hostname) []:client.avi.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Creating Signed Client Certificate: Use the following OpenSSL command to create a signed client certificate. [client-cert-auth-demo] $ openssl x509 -req -in client.csr -CA CA.pem -CAkey CA.key -CAcreateserial - out client.pem -days 1024 -sha256 Copyright 2019 Avi Networks, Inc. Page 3 of 11
Signature ok subject=/c=us/st=california/l=santa Clara/O=Avi Networks/OU=Engineering/CN=client.avi.com Getting CA Private Key Converting Client Key from PEM to PKCS12 (PFX) Use the following OpenSSL command to convert the client key format from PEM to PKCS12. Provide an export password that you can remember, for example, avi123. [client-cert-auth-demo] $ openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile CA.pem Enter Export Password: Verifying - Enter Export Password: Configuring CRL Generating CRL By default, if client certificate validation is enabled in an HTTP profile, the PKI profile used by the virtual service must contain at least one CRL. This CRL is issued by the CA that signed the client certificate. Use the following OpenSSL command to generate the CRL using the key and the certificate created in the previous steps. [client-cert-auth-demo] $ openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem Using configuration from /etc/pki/tls/openssl.cnf /etc/pki/ca/index.txt: No such file or directory unable to open '/etc/pki/ca/index.txt' 139687578113952:error:02001002:system library:fopen:no such file or directory:bss_file.c:398:fopen('/etc/pki/ca/index.txt','r') 139687578113952:error:20074002:BIO routines:file_ctrl:system lib:bss_file.c:400: This command may exhibit a few errors. Take the actions as required. For example, the following commands create a file. /etc/pki/ca/index.txt file and the file /etc/pki/ca/crlnumber with the content 01: [client-cert-auth-demo] $ touch /etc/pki/ca/index.txt [client-cert-auth-demo] $ echo 01 > /etc/pki/ca/crlnumber Re-generating the CRL Once action is taken as per the error in the previous step, re-run the openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem command to generate the CRL once again. [client-cert-auth-demo] $ openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem Using configuration from /etc/pki/tls/openssl.cnf Copyright 2019 Avi Networks, Inc. Page 4 of 11
Exporting PFX Client Key to the Keychain of Your Local Workstation Copy the client.pfx to your workstation (in this example, a MAC workstation is used), and open it in the keychain. Enter the export password to add the client PFX key to your local keychain store as shown below. Note: Use the export password provided while converting PEM key to PFX key. Creating PKI Application Profile Creating PKI Application Profile Using the Avi UI 1. Navigate to Applications > Templates, select the Security tab, and click on the PKI Profile option. 2. Click on the edit icon next to the existing PKI profile, or click New to create a new one. In this example, a new PKI profile is created. Provide the desired name, select Enable CRL Check. Copyright 2019 Avi Networks, Inc. Page 5 of 11
3. Select Add CA, and click on Upload Certificate Authority. Copyright 2019 Avi Networks, Inc. Page 6 of 11
4. Select Add CRL, and click on the Upload File option to add the CRL file (crl.pem) saved on your local workstation. Copyright 2019 Avi Networks, Inc. Page 7 of 11
5. Click on Save. As shown below, the CA file and the CRL file have been added to the PKI profile (My-PKI-Profile). The application profile should contain a CRL for each of the intermediate CA in the chain of trust. Creating PKI Application Profile Using the Avi CLI [admin:my-avi-controller-17.2.10]: > configure pkiprofile test [admin:my-avi-controller-17.2.10]: pkiprofile> ca_certs Copyright 2019 Avi Networks, Inc. Page 8 of 11
New object being created [admin:my-avi-controller-17.2.10]: pkiprofile:ca_certs> certificate -- Please input the value for field certificate (Enter END to terminate input):-----begin CERTIFICATE----- MIIFAzCCA+ugAwIBAgIEUdNg7jANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50 cnvzdc5uzxqvbgvnywwtdgvybxmxota3bgnvbastmchjksaymda5ievudhj1c3qs r2rscaweaaaocaqkwggefma4ga1uddweb/wqeawibbjap jbenmuk+xjprsfddcspe5u6trknvknbfge/kvg9ctbaahqkeomdl8pum4erfovro GhGonGkvG9/q4jLzzky8RgzAiYDRh2uiz2vUf/31YFJnV6Bt0WRBFG00Yu0GbCTy BrwoAq8DLcIzBfvLqhboZRBD9Wlc44FYmc1r07jHexlVyUDOeVW4c4npXEBmQxJ/ B7hlVtWNw6f1sbZlnsCDNn8WRTx0S5OKPPEr9TVwc3vnggSxGJgO1JxvGvz8pzOl u7sy82t6xtkh920l5oj2hieeeubndg5vt6qhcqqepy02qugiux6c -----END CERTIFICATE----- <????????? Press Enter key after pasting cert END <????????? Type END and press Enter key [admin:my-avi-controller-17.2.10]: pkiprofile:ca_certs> save [admin:my-avi-controller-17.2.10]: pkiprofile> no crl_check <????????? Optional for testing [admin:my-avi-controller-17.2.10]: pkiprofile> save <????????? Past Configuring HTTP Profile 1. 2. Navigate to Templates > Profiles, select the Application option, and click on Create to create a new HTTP application profile. Provide the desired name, and set the type to HTTP. Select the Security tab, and choose the Required tab under the Client SSL Certificate Validation. Select the PKI profile created in the previous step, and add the desired HTTP headers that you want to see in the application logs. Copyright 2019 Avi Networks, Inc. Page 9 of 11
Associating Application Profile with Virtual Service 1. Navigate to Applications > Virtual Service, select the desired virtual service. Click on the edit icon, and select the HTTP application profile created in the previous step. Testing Client Certificate Authentication against Virtual Service Execute the following curl command using the certificates generated in the previous section to test the connection to the virtual service. 10.10.27.101 is the IP address of the virtual service. $ curl -k -v --cacert./ca.pem --key./client.key --cert./client.pem https://10.10.27.101/ Copyright 2019 Avi Networks, Inc. Page 10 of 11
Copyright 2019 Avi Networks, Inc. Page 11 of 11