Solved: Cisco ACE SSL client auth certificate verification

Neil Preston · ‎03-15-2011

Hi,

Is anybody able to assist or have any experience with the below query?

In the Context of the Cisco ACE blade performing SSL Client Authentication the documentation states that the ACE blade will validate the following;

• A trusted signer issued the certificate

• The valid period of the certificate is still in effect

• The certificate signature is valid and not tampered

• (CRL) the CA has not revoked the certificate

Our requirement is to further check the certificate presented by the client - specifically for a range of valid values for the Subject CN attribute.

Is it possible to configure the ACE blade to check any of the Subject attributes?

mwinnett · ‎03-23-2011

I don't see where on the ace itself you could do that checking. However, you can extract information from the client or server certs and insert them into the http header of the inside traffic for the application to process

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_2_0/command/reference/actnlist.html#wp1098501

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/configuration/ssl/guide/terminat.html#wp1170066

As you can see, subject-CN is on the list of insertable attributes.

Would this help ?

Matthew

View solution in original post

mwinnett · ‎03-23-2011