The PKI profile settings are explained below.

  • Name : The unique name for the profile.

  • Ignore Peer Chain : This option is disabled by default. When disabled, the certificate must present a full chain which is traversed and validated, starting from the client or server presented certificate to the terminal root certificate. If this option is enabled, NSX Advanced Load Balancer will ignore any cert chain the peer/client is presenting. Instead, the root and intermediate certs configured in the Certificate Authority section of the PKI profile are used to verify trust of the client’s cert. Each intermediate certificate must be validated and matched against a CA certificate included in the PKI profile.

  • Host Header Check : If enabled, this option ensures the virtual service’s VIP field, when resolved using DNS, matches the domain name field of the certificate presented from a server to NSX Advanced Load Balancer when back-end SSL is enabled. If the server’s certificate does not match then, it is considered insecure and marked down.

  • Enable CRL Check : If this option is selected, the client’s certificate is verified against the certificate revocation list.

For more information, refer to Create a PKI Profile