How to Enable Client Certificate Authentication on Avi Vantage

Overview

This article explains how to enable client certificate authentication on Avi Vantage. When client certificate authentication is enabled, Avi Vantage validates SSL certificates presented by a client against a trusted certificate authority and a configured client revocation list (CRL). For more information, refer to Client Certificate Validation on Avi Vantage.

Prerequisites

Knowledge of OpenSSL

Instructions

This section covers the following:

  • Generating required keys and certificates
  • Configuring CRL
  • Exporting PFX Key to local workstation
  • Creating PKI application profile
  • Configuring HTTP profile
  • Configuring L4 SSL/TLS (new for 18.2.3)
  • Associating virtual service with the required application profile
  • Testing client certificate authentication against the virtual service

Generating Keys and Certificates

Creating Directories for Keys and Certificates

Login to the Avi CLI, and use the following mkdir command to create a directory to store, and execute the keys, and certificates required for client authentication. Use the cd command to access the directory.


$ mkdir client-cert-auth-demo
$ cd client-cert-auth-demo
[client-cert-auth-demo] $

Generating Client Certificate (CA) Key

Use the openssl genrsa -out CA.key 2048 command to generate a self-signed CA certificate with 2048-bit encryption.

[client-cert-auth-demo] $ openssl genrsa -out CA.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................................................+++
..............................+++
e is 65537 (0x10001)
Generate self-signed CA Cert:
[client-cert-auth-demo] $ openssl req -x509 -new -nodes -key CA.key -sha256 -days 1024 -out CA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Santa Clara
Organization Name (eg, company) [Default Company Ltd]:Avi Networks
Organizational Unit Name (eg, section) []:Engineering
Common Name (eg, your name or your server's hostname) []:demo.avi.com
Email Address []:

Note: Leave the email address empty.

Generating Client Certificate Signing Request (CSR)

First generate a client.key using the openssl genrsa -out client.key 2048 command.
Next, use the openssl req -new -key client.key -out client.csr command to create a client CSR. Enter all the details as per the requirement.

Notes:

  • The Common Name should match the hostname or FQDN of your client machine.
  • Leave the email address, the challenge password, and the optional company name empty.
Generate client CSR:
 [client-cert-auth-demo] $ openssl req -new -key client.key -out client.csr
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:US
 State or Province Name (full name) []:California
 Locality Name (eg, city) [Default City]:Santa Clara
 Organization Name (eg, company) [Default Company Ltd]:Avi Networks
 Organizational Unit Name (eg, section) []:Engineering
 Common Name (eg, your name or your server's hostname) []:client.avi.com
 Email Address []:
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:

Creating Signed Client Certificate:

Use the following OpenSSL command to create a signed client certificate.


 [client-cert-auth-demo] $ openssl x509 -req -in client.csr -CA CA.pem -CAkey CA.key -CAcreateserial -
 out client.pem -days 1024 -sha256
 Signature ok
 subject=/C=US/ST=California/L=Santa Clara/O=Avi Networks/OU=Engineering/CN=client.avi.com
 Getting CA Private Key

Converting Client Key from PEM to PKCS12 (PFX)

Use the following OpenSSL command to convert the client key format from PEM to PKCS12. Provide an export password that you can remember, for example, avi123.

[client-cert-auth-demo] $ openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile
 CA.pem
 Enter Export Password:
 Verifying - Enter Export Password:

Configuring CRL

Generating CRL

By default, if client certificate validation is enabled in an HTTP profile, the PKI profile used by the virtual service must contain at least one CRL. This CRL is issued by the CA that signed the client certificate. Use the following OpenSSL command to generate the CRL using the key and the certificate created in the previous steps.

[client-cert-auth-demo] $ openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
139687578113952:error:02001002:system library:fopen:No such file or
directory:bss_file.c:398:fopen('/etc/pki/CA/index.txt','r')
139687578113952:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

This command may exhibit a few errors. Take the actions as required. For example, the following commands create a file.

/etc/pki/CA/index.txt file and the file /etc/pki/CA/crlnumber with the content 01:
[client-cert-auth-demo] $ touch /etc/pki/CA/index.txt
[client-cert-auth-demo] $ echo 01 > /etc/pki/CA/crlnumber

Re-generating the CRL

Once action is taken as per the error in the previous step, re-run the openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem command to generate the CRL once again.

[client-cert-auth-demo] $ openssl ca -gencrl -keyfile CA.key -cert CA.pem -out crl.pem
Using configuration from /etc/pki/tls/openssl.cnf

Exporting PFX Client Key to the Keychain of Your Local Workstation

Copy the client.pfx to your workstation (in this example, a MAC workstation is used), and open it in the keychain. Enter the export password to add the client PFX key to your local keychain store as shown below.

Note: Use the export password provided while converting PEM key to PFX key.

exporting

Creating PKI Application Profile

Creating PKI Application Profile Using the Avi UI

  1. Navigate to Applications > Templates, select the Security tab, and click on the PKI Profile option.

    create-pki

  2. Click on the edit icon next to the existing PKI profile, or click New to create a new one. In this example, a new PKI profile is created. Provide the desired name, select Enable CRL Check.

    pki-name

  3. Select Add CA, and click on Upload Certificate Authority.

    add-new-ca

    select-upload

    upload-ca

  4. Select Add CRL, and click on the Upload File option to add the CRL file (crl.pem) saved on your local workstation.

    add-crl

    upload-file

    upload-crl

  5. Click on Save. As shown below, the CA file and the CRL file have been added to the PKI profile (My-PKI-Profile). The application profile should contain a CRL for each of the intermediate CA in the chain of trust.

Creating PKI Application Profile Using the Avi CLI

[admin:My-Avi-Controller-17.2.10]: > configure pkiprofile test                                                                                          
[admin:My-Avi-Controller-17.2.10]: pkiprofile> ca_certs 
New object being created
[admin:My-Avi-Controller-17.2.10]: pkiprofile:ca_certs> certificate --
Please input the value for field certificate (Enter END to terminate input):-----BEGIN CERTIFICATE-----   <————————— Paste cert here
MIIFAzCCA+ugAwIBAgIEUdNg7jANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50
cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs
r2RsCAwEAAaOCAQkwggEFMA4GA1UdDwEB/wQEAwIBBjAP
jbEnmUK+xJPrSFdDcSPE5U6trkNvknbFGe/KvG9CTBaahqkEOMdl8PUM4ErfovrO
GhGonGkvG9/q4jLzzky8RgzAiYDRh2uiz2vUf/31YFJnV6Bt0WRBFG00Yu0GbCTy
BrwoAq8DLcIzBfvLqhboZRBD9Wlc44FYmc1r07jHexlVyUDOeVW4c4npXEBmQxJ/
B7hlVtWNw6f1sbZlnsCDNn8WRTx0S5OKPPEr9TVwc3vnggSxGJgO1JxvGvz8pzOl
u7sY82t6XTKH920l5OJ2hiEeEUbNdg5vT6QhcQqEpy02qUgiUX6C
-----END CERTIFICATE-----                   <—————————  Press Enter key after pasting cert
END                                         <—————————  Type END and press Enter key
[admin:My-Avi-Controller-17.2.10]: pkiprofile:ca_certs> save
[admin:My-Avi-Controller-17.2.10]: pkiprofile> no crl_check      <—————————  Optional for testing
[admin:My-Avi-Controller-17.2.10]: pkiprofile> save

Configuring HTTP Profile

  1. Navigate to Templates > Profiles, select the Application option, and click on Create to create a new HTTP application profile. Provide the desired name, and set the type to HTTP.

  2. Select the Security tab, and choose the Required tab under the Client SSL Certificate Validation.

    required

    Select the PKI profile created in the previous step, and add the desired HTTP headers that you want to see in the application logs.

    application-profile

Configuring L4 SSL/TLS Profile

Starting with Avi Vantage release 18.2.3, the Avi CLI interface can be used to configure L4 SSL/TLS application profiles for client SSL certificate validation.

  1. Login to the Avi CLI (shell)
  2. Edit or create the application profile for your L4 SSL/TLS application. In this example, we’ve chosen to name the profile my-L4-app-profile.
    > [admin:our-controller]: > configure applicationprofile my-L4-app-profile
  3. Declare the profile to be type L4.
    > [admin:our-controller]: applicationprofile> type application_profile_type_l4
  4. Enter tcp_app_profile submode.
    > [admin:our-controller]: applicationprofile> tcp_app_profile
  5. Enter the ssl_client_certificate_mode. If you key in just a portion of the keyword, followed by two TAB key clicks, three choices will appear.
    > [admin:our-controller]: applicationprofile:tcp_app_profile> ssl_client_certificate_mode ssl_client_certificate_
    ssl_client_certificate_none      Enum option does not have an e_description option
    ssl_client_certificate_request   Enum option does not have an e_description option
    ssl_client_certificate_require   Enum option does not have an e_description option
  6. Pick the desired validation type, which is explained in a subseqent section of this article.
    > [admin:our-controller]: applicationprofile:tcp_app_profile> ssl_client_certificate_mode ssl_client_certificate_require
  7. For either ssl_client_certificate_request or ssl_client_certificate_require mode, a PKI profile is required and must exist previous to saving the application profile.
    > [admin:our-controller]: applicationprofile:tcp_app_profile> pki_profile_ref my-L4-pki
  8. Save the configuration.
    > [admin:our-controller]: applicationprofile:tcp_app_profile> save
    > [admin:our-controller]: applicationprofile> save
    > [admin:our-controller]: 

Associating Application Profile with Virtual Service

  1. Navigate to Applications > Virtual Service, select the desired virtual service. Click on the edit icon, and select the HTTP application profile created in the previous step.

    edit-vs

Testing Client Certificate Authentication against Virtual Service

Execute the following curl command using the certificates generated in the previous section to test the connection to the virtual service. 10.10.27.101 is the IP address of the virtual service.


   $ curl -k -v --cacert ./CA.pem --key ./client.key --cert ./client.pem https://10.10.27.101/