PingAccess

Configuring virtual host trusted certificate groups

Configure a virtual host trusted certificate group that can implement client certificate authentication.

About this task

Assigning a trusted certificate group to a virtual host provides a mechanism to authenticate using client certificates during any request to sites using the specified virtual host.

Trusted certificate groups are applied at the host name level and are independent of the configured port. This means that a mapping to a virtual host of *.example.com will apply to requests received on virtual hosts *.example.com:3000 and *.example.com:443.

Steps

  1. Click Applications, then go to Applications > Virtual Hosts.

  2. Click to expand the virtual host you want to modify.

  3. Click the Pencil icon.

    Virtual hosts that have certificate authentication configured will display the message Client Certificate Authentication in the associated bar.

  4. In the Client Certificate Authentication field, click the Pencil icon.

  5. From the Trusted Certificate Group list, select the appropriate certificate group.

    You can select an existing trusted certificate group, or use one of the following options.

    Choose from:

    • No Certificate Authentication – Does not require certificate authentication.

    • Java Trust Store – Uses the Java Trust Store for certificate authentication.

    • Trust Any – Allows client authentication with any certificate including self-signed certificates.

      If you use the Trust Any method in production, you should log client certificates in the audit log.

  6. To save the trusted certificate group settings, click Save.

  7. To confirm your changes, click Save.

  8. Add the following two Groovy script rules to force validation of the server name indication (SNI) and client certificate chain.

    Validate SNI

    if(exc?.getSslData()?.getSniServerNames()?.isEmpty())
    {
      fail();
    }
    else
    {
      pass();
    }

    Validate client certificate chain

    if(exc?.getSslData()?.getClientCertificateChain()?.isEmpty())
    {
      fail();
    }
    else
    {
      pass();
    }
  9. Apply these rules to applications that use this virtual host.