Dynamic Client Certificate Generation (DC2G)
The Dynamic Client Certificate Generation feature allows NetScaler to facilitate end-to-end mutual Transport Layer Security (mTLS) communication. NetScaler achieves this by generating a new client certificate for the backend server-side handshake, using the information extracted from the client certificate provided during the client-side SSL handshake.
Traditional certificate-based authentication protocols, such as smart card authentication, require a complete end-to-end TLS handshake for client verification. Dynamic Client Certificate Generation feature overcomes this restriction, allowing security teams to inspect encrypted traffic (through decryption and re-encryption) while still satisfying smart card or certificate-based authentication requirements.
How it works
When DC2G is enabled, the NetScaler seamlessly manages both the client-side and server-side mTLS handshakes:
| Step | Client-Side Handshake (Client <-> NetScaler) | Server-Side Handshake (NetScaler <-» Server) | |
| 1 | The client sends Client Hello. | NetScaler initiates a handshake with Client Hello to the backend server. | |
| 2 | NetScaler responds with Server Hello and its configured certificate. | The server responds with Server Hello and its certificate. | |
| 3 | NetScaler sends Certificate Request to the client (Client Authentication must be enabled on the front-end). | The server sends a Client Certificate Request to NetScaler. | |
| 4 | The client responds with its certificate, and NetScaler verifies it. | NetScaler generates a new client certificate using the configured CA and sends it to the server (if the Dynamic Client Certificate Generation feature is enabled). | |
| 5 | The client-side SSL handshake completes. | The server-side SSL handshake completes. | |
The following are the benefits:
- Customers can manage application availability using NetScaler while maintaining strong mutual TLS communication.
- NetScaler decrypts, inspects the content, and then re-encrypts the TLS communication, even when Smart Card or certificate-based authentication is used.
- By operating as a middleman, NetScaler enables content inspection combined with NetScaler Console SSL insights or any other third-party tool for enhanced observability.
Enable Dynamic Client Certificate Generation
Prerequisites
- Ensure that the following is configured on the virtual server:
- The server certificate is to be served to clients.
- The CA certificate for verifying the client certificate such as the CA that issued the client’s actual certificate.
- Enable the client certificate authentication on the front-end enhanced SSL profile.
- Enable client certificate authentication on the backend origin server. The origin server must trust the NetScaler CA certificate used for generating the client certificates.
- Ensure to migrate to the enhanced SSL profile. For more information, see Migrate the SSL configuration to the enhanced SSL profile.
To enable Dynamic Client Certificate Generation using CLI
-
Enable the feature on the SSL profile bound to the backend service.
At the command prompt, type:
set ssl profile <backend_profile_name> -dynamicClientCert ENABLED -
Create a certificate key for the CA used to sign the generated dynamic client certificate. At the command prompt, type:
add ssl certkey <certkey_name> -cert <cert_file> -key <key_file> -
Bind the certificate key to the backend profile where the Dynamic Client Certificate Generation feature is enabled. At the command prompt, type:
bind ssl profile <backend_profile_name> --certkeyName <certkey_name> -forgingCACertkey
Notes:
- If the client certificate is configured as optional in the front end profile and the peer does not provide a certificate, NetScaler intentionally fails the handshake with the backend server.
- The Dynamic Client Certificate Generation feature works seamlessly with NetScaler SSL Orchestrator in the reverse proxy deployment. For more information, see ICAP for remote content inspection.
Limitations
The Dynamic Client Certificate Generation feature is not supported in the following scenarios:
- DTLS
- Admin partition environments