The PKI profile contains the configured certificate authorities and CRL. A PKI profile is necessary if the Validation Type is set to Request or Validation Type is Required.
The PKI profile supports configuring and updating the client certificate revocation lists. The PKI profile is used to validate clients or server certificates.
Client Certificate Validation: Avi Load Balancer validates client access to an HTTPS virtual service through client SSL certificates. Clients will present their certificate while accessing the virtual service. This will be matched against a CRL. If the certificate is valid and the clients are not on the list of revoked certificates then, they are allowed access the HTTPS virtual server. Client certificate validation is enabled through the HTTP profile’s Authentication tab. The HTTP profile will reference the PKI profile for specifics on the CA and the CRL. A single PKI profile may be referenced by multiple profiles.
Server Certificate Validation: Avi Load Balancer can validate the certificate presented by a server, such as when a HTTPS health check is sent to a server. Server certificate validation also uses a PKI profile to validate the certificate presented. Server certificate validation can be configured by enabling SSL within the desired pool, and then specifying the PKI Profile.
To create a PKI profile, navigate to
.For detailed steps, see Create a PKI Application Profile.