ADC

Server authentication

September 14, 2021

Contributed by:

S C

Since the Citrix ADC appliance performs SSL offload and acceleration on behalf of a web server, the appliance does not usually authenticate the Web server’s certificate. However, you can authenticate the server in deployments that require end-to-end SSL encryption.

In such a situation, the appliance becomes the SSL client and carries out a secure transaction with the SSL server. It verifies that a CA whose certificate is bound to the SSL service has signed the server certificate, and checks the validity of the server certificate.

To authenticate the server, enable server authentication and bind the certificate of the CA that signed the server’s certificate to the SSL service on the ADC appliance. When binding the certificate, you must specify the bind as a CA option.

Enable (or disable) server certificate authentication

You can use the CLI and the GUI to enable and disable server certificate authentication.

Enable (or disable) server certificate authentication using the CLI

At the command prompt, type the following commands to enable server certificate authentication and verify the configuration:

set ssl service <serviceName> -serverAuth ( ENABLED | DISABLED )
show ssl service <serviceName>
<!--NeedCopy-->

Example:

set ssl service ssl-service-1 -serverAuth ENABLED
<!--NeedCopy-->

show ssl service ssl-service-1

            Advanced SSL configuration for Back-end SSL Service ssl-service-1:`
            DH: DISABLED
            Ephemeral RSA: DISABLED
            Session Reuse: ENABLED          Timeout: 300 seconds
            Cipher Redirect: DISABLED
            SSLv2 Redirect: DISABLED
            Server Auth: ENABLED
            SSL Redirect: DISABLED
            Non FIPS Ciphers: DISABLED
            SSLv2: DISABLED SSLv3: ENABLED  TLSv1: ENABLED
    1)      Cipher Name: ALL
            Description: Predefined Cipher Alias
Done
<!--NeedCopy-->

Enable (or disable) server certificate authentication by using the GUI

Navigate to Traffic Management > Load Balancing > Services, and open an SSL service.
In the SSL Parameters section, select Enable Server Authentication, and specify a Common Name.
In Advanced Settings, select Certificates, and bind a CA certificate to the service.

Bind the CA certificate to the service by using the CLI

At the command prompt, type the following commands to bind the CA certificate to the service and verify the configuration:

bind ssl service <serviceName> -certkeyName <string> -CA

show ssl service <serviceName>
<!--NeedCopy-->

Example:

bind ssl service ssl-service-1 -certkeyName samplecertkey -CA
<!--NeedCopy-->

show ssl service ssl-service-1

            Advanced SSL configuration for Back-end SSL Service ssl-service-1:
            DH: DISABLED
            Ephemeral RSA: DISABLED
            Session Reuse: ENABLED          Timeout: 300 seconds
            Cipher Redirect: DISABLED
            SSLv2 Redirect: DISABLED
            Server Auth: ENABLED
            SSL Redirect: DISABLED
            Non FIPS Ciphers: DISABLED
            SSLv2: DISABLED SSLv3: ENABLED  TLSv1: ENABLED
    1)      CertKey Name: samplecertkey     CA Certificate          CRLCheck: Optional
    1)      Cipher Name: ALL
            Description: Predefined Cipher Alias
Done
<!--NeedCopy-->

Configure a common name for server certificate authentication

In end-to-end encryption with server authentication enabled, you can include a common name in the configuration of an SSL service or service group. The name that you specify is compared to the common name in the server certificate during an SSL handshake. If the two names match, the handshake is successful. If the common names do not match, the common name specified for the service or service group is compared to the values in the subject alternative name (SAN) field in the certificate. If it matches one of those values, the handshake is successful. This configuration is especially useful if there are, for example, two servers behind a firewall and one of the servers spoofs the identity of the other. If the common name is not checked, a certificate presented by either server is accepted if the IP address matches.

Note: Only domain name, URL, and email ID DNS entries in the SAN field are compared.

Configure common-name verification for an SSL service or service group by using the CLI

At the command prompt, type the following commands to specify server authentication with common-name verification and verify the configuration:

To configure a common name in a service, type:

set ssl service <serviceName> -commonName <string> -serverAuth ENABLED
show ssl service <serviceName>
<!--NeedCopy-->

To configure a common name in a service group, type:

set ssl serviceGroup <serviceGroupName> -commonName <string> -serverAuth ENABLED
show ssl serviceGroup <serviceGroupName>
<!--NeedCopy-->

Example:

> set ssl service svc1 -commonName xyz.com -serverAuth ENABLED
<!--NeedCopy-->

show ssl service svc

     Advanced SSL configuration for Back-end SSL Service svc1:
     DH: DISABLED
     Ephemeral RSA: DISABLED
     Session Reuse: ENABLED Timeout: 300 seconds
     Cipher Redirect: DISABLED
     SSLv2 Redirect: DISABLED
     Server Auth: ENABLED Common Name: www.xyz.com
     SSL Redirect: DISABLED
     Non FIPS Ciphers: DISABLED
     SNI: DISABLED
     SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED
    1) CertKey Name: cacert CA Certificate OCSPCheck: Optional
    1) Cipher Name: ALL
     Description: Predefined Cipher Alias
Done
<!--NeedCopy-->

Configure common-name verification for an SSL service or service group by using the GUI

Navigate to Traffic Management > Load Balancing > Services or Navigate to Traffic Management > Load Balancing > Service Groups, and open a service or service group.
In the SSL Parameters section, select Enable Server Authentication, and specify a common name.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Server authentication

September 14, 2021

Contributed by:

S C

September 14, 2021

Contributed by:

S C

Server authentication

Enable (or disable) server certificate authentication

Enable (or disable) server certificate authentication using the CLI

Enable (or disable) server certificate authentication by using the GUI

Bind the CA certificate to the service by using the CLI

Configure a common name for server certificate authentication

Configure common-name verification for an SSL service or service group by using the CLI

Configure common-name verification for an SSL service or service group by using the GUI

In this article