This section explains how to enable client certificate authentication on NSX Advanced Load Balancer. When client certificate authentication is enabled, NSX Advanced Load Balancervalidates SSL certificates presented by a client against a trusted certificate authority and a configured client revocation list (CRL).
Generating Keys and Certificates
To create directories for keys and certificates, follow the steps below:
Login to the NSX Advanced Load Balancer CLI.
Use the following
mkdircommand to create a directory to store.Execute the keys and certificates required for client authentication.
Use the
cdcommand to access the directory.
$ mkdir client-cert-auth-demo $ cd client-cert-auth-demo [client-cert-auth-demo] $
To generate client certificate (CA) key, use the openssl genrsa -out CA.key 2048 command to generate a self-signed CA certificate with 2048-bit encryption.
[client-cert-auth-demo] $ openssl genrsa -out CA.key 2048 Generating RSA private key, 2048 bit long modulus ......................................................................+++ e is 65537 (0x10001) Generate self-signed CA Cert: [client-cert-auth-demo] $ openssl req -x509 -new -nodes -key CA.key -sha256 -days 1024 -out CA.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Santa Clara Organization Name (eg, company) [Default Company Ltd]:Avi Networks Organizational Unit Name (eg, section) []:Engineering Common Name (eg, your name or your server's hostname) []:demo.avi.com Email Address []:
Leave the email address empty.
To generate client certificate signing request, follow the steps below:
Generate a
client.keyusingopenssl genrsa -out client.key 2048command.Use
openssl req -new -key client.key -out client.csrcommand to create a client CSR.Specify all the details as per the requirement.
The Common Name must match the hostname or FQDN of your client machine.
Leave the email address, the challenge password, and the optional company name empty.
Generate client CSR: [client-cert-auth-demo] $ openssl req -new -key client.key -out client.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Santa Clara Organization Name (eg, company) [Default Company Ltd]:Avi Networks Organizational Unit Name (eg, section) []:Engineering Common Name (eg, your name or your server's hostname) []:client.avi.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
To create a signed client certificate, use the following OpenSSL command to create a signed client certificate.
[client-cert-auth-demo] $ openssl x509 -req -in client.csr -CA CA.pem -CAkey CA.key -CAcreateserial - out client.pem -days 1024 -sha256 Signature ok subject=/C=US/ST=California/L=Santa Clara/O=Avi Networks/OU=Engineering/CN=client.avi.com Getting CA Private Key
To convert client key from PEM to PKCS12 (PFX), use the OpenSSL command to convert the client key format from PEM to PKCS12. Provide an export password.
[client-cert-auth-demo] $ openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile CA.pem Enter Export Password: Verifying - Enter Export Password:
