In this post we I explain some common issues to look at when mutual authentication does not work
1st, the certificate used by the server needs to validate.
2nd, the client certificate needs to validate. This also means it can be older than the expiration or yet activate
i.e F5 debug log for a non validate user-certificate
3rd, the client certificate store typically only provides the user certificate if item#1& #2 are true and the site issues matches the certificate found in the user local store.
4th, the web clients needs his/her certificate and matching key. This combination is what's used for the site. The web-server will extract the public-key from the x509 certificate when authenticating
5th, a web-server might ignore a certificate if one is provided
Next, the web-server needs the CA to use for verification. The CA used for the client might NOT be the same one for the server-signed certificate.
TIPS:
1>
Client certificate either has a UPN { user principal name } or CN { common name } field and this can be scrutinize a web-server when mutual authentication is required. Either one should be correct for the user and the applications and in the correct format
i.e
kfelix
ken.felix
kenfelix@socpuppets.com
etc....
2>
If the server uses a CRL, ensure the client-certificate is not revoked.
3>
If the site support auth-fallback, this will come into play after SSL mutual-authentication request.
4> In most cases, the client certificates does NOT need to signed under the same CAroot as the server. Most servers that use mutual TLS/SSL client-auth, will let you set the CAchain for the client's certificates that are to be trusted & allowed.
by using curl you can validate and gather verbose details
i.e
curl -v --cert <pkcs format certificate+key>:passphrase https://yourserver.yourdomain.com/
Review the curl output for further paths to explore and investigate.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment