This article explains how to enable client certificate authentication on NSX Advanced Load Balancer. When client certificate authentication is enabled, NSX Advanced Load Balancervalidates SSL certificates presented by a client against a trusted certificate authority and a configured client revocation list (CRL).

Prerequisites

Knowledge of OpenSSL

Generating Keys and Certificates

Creating Directories for Keys and Certificates

  • Login to the NSX Advanced Load Balancer CLI.

  • Use the following mkdir command to create a directory to store.

  • Execute the keys and certificates required for client authentication.

  • Use the cd command to access the directory.

$ mkdir client-cert-auth-demo
$ cd client-cert-auth-demo
[client-cert-auth-demo] $

Generating Client Certificate (CA) Key

Use the openssl genrsa -out CA.key 2048 command to generate a self-signed CA certificate with 2048-bit encryption.

[client-cert-auth-demo] $ openssl genrsa -out CA.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................................................+++

e is 65537 (0x10001)
Generate self-signed CA Cert:
[client-cert-auth-demo] $ openssl req -x509 -new -nodes -key CA.key -sha256 -days 1024 -out CA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Santa Clara
Organization Name (eg, company) [Default Company Ltd]:Avi Networks
Organizational Unit Name (eg, section) []:Engineering
Common Name (eg, your name or your server's hostname) []:demo.avi.com
Email Address []:
Note:

Leave the email address empty.

Generating Client Certificate Signing Request (CSR)

First generate aclient.key using the openssl genrsa -out client.key 2048 command. Next, use the openssl req -new -key client.key -out client.csr command to create a client CSR. Enter all the details as per the requirement.

Note:
  • The Common Name should match the hostname or FQDN of your client machine.

  • Leave the email address, the challenge password, and the optional company name empty.

Generate client CSR:
 [client-cert-auth-demo] $ openssl req -new -key client.key -out client.csr
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:US
 State or Province Name (full name) []:California
 Locality Name (eg, city) [Default City]:Santa Clara
 Organization Name (eg, company) [Default Company Ltd]:Avi Networks
 Organizational Unit Name (eg, section) []:Engineering
 Common Name (eg, your name or your server's hostname) []:client.avi.com
 Email Address []:
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:

Creating Signed Client Certificate:

Use the following OpenSSL command to create a signed client certificate.

[client-cert-auth-demo] $ openssl x509 -req -in client.csr -CA CA.pem -CAkey CA.key -CAcreateserial -
out client.pem -days 1024 -sha256
 Signature ok
 subject=/C=US/ST=California/L=Santa Clara/O=Avi Networks/OU=Engineering/CN=client.avi.com
 Getting CA Private Key

Converting Client Key from PEM to PKCS12 (PFX)

Use the following OpenSSL command to convert the client key format from PEM to PKCS12. Provide an export password that you can remember, for example, avi123.

[client-cert-auth-demo] $ openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile
 CA.pem
 Enter Export Password:
 Verifying - Enter Export Password: