This section explains how to enable client certificate authentication on NSX Advanced Load Balancer. When client certificate authentication is enabled, NSX Advanced Load Balancervalidates SSL certificates presented by a client against a trusted certificate authority and a configured client revocation list (CRL).

Generating Keys and Certificates

To create directories for keys and certificates, follow the steps below:

  1. Login to the NSX Advanced Load Balancer CLI.

  2. Use the following mkdir command to create a directory to store.

  3. Execute the keys and certificates required for client authentication.

  4. Use the cd command to access the directory.

$ mkdir client-cert-auth-demo
$ cd client-cert-auth-demo
[client-cert-auth-demo] $

To generate client certificate (CA) key, use the openssl genrsa -out CA.key 2048 command to generate a self-signed CA certificate with 2048-bit encryption.

[client-cert-auth-demo] $ openssl genrsa -out CA.key 2048
Generating RSA private key, 2048 bit long modulus
......................................................................+++

e is 65537 (0x10001)
Generate self-signed CA Cert:
[client-cert-auth-demo] $ openssl req -x509 -new -nodes -key CA.key -sha256 -days 1024 -out CA.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Santa Clara
Organization Name (eg, company) [Default Company Ltd]:Avi Networks
Organizational Unit Name (eg, section) []:Engineering
Common Name (eg, your name or your server's hostname) []:demo.avi.com
Email Address []:
Note:

Leave the email address empty.

To generate client certificate signing request, follow the steps below:

  1. Generate a client.key using openssl genrsa -out client.key 2048 command.

  2. Use openssl req -new -key client.key -out client.csr command to create a client CSR.

  3. Specify all the details as per the requirement.

Note:
  • The Common Name must match the hostname or FQDN of your client machine.

  • Leave the email address, the challenge password, and the optional company name empty.

Generate client CSR:
 [client-cert-auth-demo] $ openssl req -new -key client.key -out client.csr
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:US
 State or Province Name (full name) []:California
 Locality Name (eg, city) [Default City]:Santa Clara
 Organization Name (eg, company) [Default Company Ltd]:Avi Networks
 Organizational Unit Name (eg, section) []:Engineering
 Common Name (eg, your name or your server's hostname) []:client.avi.com
 Email Address []:
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:

To create a signed client certificate, use the following OpenSSL command to create a signed client certificate.

[client-cert-auth-demo] $ openssl x509 -req -in client.csr -CA CA.pem -CAkey CA.key -CAcreateserial -
out client.pem -days 1024 -sha256
 Signature ok
 subject=/C=US/ST=California/L=Santa Clara/O=Avi Networks/OU=Engineering/CN=client.avi.com
 Getting CA Private Key

To convert client key from PEM to PKCS12 (PFX), use the OpenSSL command to convert the client key format from PEM to PKCS12. Provide an export password.

[client-cert-auth-demo] $ openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile
 CA.pem
 Enter Export Password:
 Verifying - Enter Export Password: