Re: Cliente certificates under a specific URL

Smith3III · ‎07-17-2009

Hi friends, hope somebody can advise me on this request.

We have a https://www.site.com which is LB some web servers behind. All content on our site is served under SSL (this is a must).

We would like to use a specific URL to ask for client certificates under a specific subdirectory (cert), something like this: https://www.site.com/cert/

So, everything else is using normal SSL, but all from /cert is erquired to use client certificates.

(btw, subdomains is not an option for us)

Is this possible using a CSS?

Thanks,

jsmiIII

wong34539 · ‎07-23-2009

The CSS can create a certificate but it is only used for testing. It will expire after a few weeks. Plus this cert will not be in the client's browser so they will get the pop up warning.

Redirect Configuration on the CSS 11000:

http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a00801de8d6.shtml

Smith3III · ‎07-23-2009

What I mean is if CSS can restrict SSL access to a specific URL instead of using a subdomain (ie: normal website www.sitea.com, ssl active only www.sitea.com/secure/).

Someboy told me it is possible using some kind of redirects, but honestly, I cannot find any example about that (protect directory)...

thank so much

Gilles Dufour · ‎07-29-2009

yes this is possible.

You create 2 content rulea to catch the decrypted traffic.

One is the generic rule to catch everything and the other one is specific to catch /secure/*.

For the /secure/* you simply loadbalance to the server and keep the connection encrypted.

For the generic rule, you create a web redirect service to send the client back to http://.... instead of httpS://

You do the same on the port 80 (cleartext) traffic but you redirect /secure/* to https and continue the connection in cleartext for the generic rule.

There are multiple examples of CSS redirect configuration on our website.

Gilles.