This article explains how to enable client certificate authentication on NSX Advanced Load Balancer. When client certificate authentication is enabled, NSX Advanced Load Balancervalidates SSL certificates presented by a client against a trusted certificate authority and a configured client revocation list (CRL).
Prerequisites
Knowledge of OpenSSL
Generating Keys and Certificates
Creating Directories for Keys and Certificates
Login to the NSX Advanced Load Balancer CLI.
Use the following
mkdircommand to create a directory to store.Execute the keys and certificates required for client authentication.
Use the cd command to access the directory.
$ mkdir client-cert-auth-demo $ cd client-cert-auth-demo [client-cert-auth-demo] $
Generating Client Certificate (CA) Key
Use the openssl genrsa -out CA.key 2048 command to generate a self-signed CA certificate with 2048-bit encryption.
[client-cert-auth-demo] $ openssl genrsa -out CA.key 2048 Generating RSA private key, 2048 bit long modulus .....................................................................................+++ e is 65537 (0x10001) Generate self-signed CA Cert: [client-cert-auth-demo] $ openssl req -x509 -new -nodes -key CA.key -sha256 -days 1024 -out CA.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Santa Clara Organization Name (eg, company) [Default Company Ltd]:Avi Networks Organizational Unit Name (eg, section) []:Engineering Common Name (eg, your name or your server's hostname) []:demo.avi.com Email Address []:
Leave the email address empty.
Generating Client Certificate Signing Request (CSR)
First generate aclient.key using the openssl genrsa -out client.key 2048 command. Next, use the openssl req -new -key client.key -out client.csr command to create a client CSR. Enter all the details as per the requirement.
The Common Name should match the hostname or FQDN of your client machine.
Leave the email address, the challenge password, and the optional company name empty.
Generate client CSR: [client-cert-auth-demo] $ openssl req -new -key client.key -out client.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Santa Clara Organization Name (eg, company) [Default Company Ltd]:Avi Networks Organizational Unit Name (eg, section) []:Engineering Common Name (eg, your name or your server's hostname) []:client.avi.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Creating Signed Client Certificate:
Use the following OpenSSL command to create a signed client certificate.
[client-cert-auth-demo] $ openssl x509 -req -in client.csr -CA CA.pem -CAkey CA.key -CAcreateserial - out client.pem -days 1024 -sha256 Signature ok subject=/C=US/ST=California/L=Santa Clara/O=Avi Networks/OU=Engineering/CN=client.avi.com Getting CA Private Key
Converting Client Key from PEM to PKCS12 (PFX)
Use the following OpenSSL command to convert the client key format from PEM to PKCS12. Provide an export password that you can remember, for example, avi123.
[client-cert-auth-demo] $ openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile CA.pem Enter Export Password: Verifying - Enter Export Password:
