Configuring virtual host trusted certificate groups
Configure a virtual host trusted certificate group that can implement client certificate authentication.
About this task
Assigning a trusted certificate group to a virtual host provides a mechanism to authenticate using client certificates during any request to sites using the specified virtual host.
|
Trusted certificate groups are applied at the host name level and are independent of the configured port. This means that a mapping to a virtual host of |
Steps
-
Click Applications, then go to Applications > Virtual Hosts.
-
Click to expand the virtual host you want to modify.
-
Click the Pencil icon.
Virtual hosts that have certificate authentication configured will display the message Client Certificate Authentication in the associated bar.
-
In the Client Certificate Authentication field, click the Pencil icon.
-
From the Trusted Certificate Group list, select the appropriate certificate group.
You can select an existing trusted certificate group, or use one of the following options.
Choose from:
-
No Certificate Authentication – Does not require certificate authentication.
-
Java Trust Store – Uses the Java Trust Store for certificate authentication.
-
Trust Any – Allows client authentication with any certificate including self-signed certificates.
If you use the Trust Any method in production, you should log client certificates in the audit log.
-
-
To save the trusted certificate group settings, click Save.
-
To confirm your changes, click Save.
-
Add the following two Groovy script rules to force validation of the server name indication (SNI) and client certificate chain.
Validate SNIif(exc?.getSslData()?.getSniServerNames()?.isEmpty()) { fail(); } else { pass(); }Validate client certificate chainif(exc?.getSslData()?.getClientCertificateChain()?.isEmpty()) { fail(); } else { pass(); } -
Apply these rules to applications that use this virtual host.