This article describes how to configure a NetScaler SSL Virtual Server to request SSL Clients to submit a Client Certificate.
Note: Client Certificates are sometimes called User Certificates or Smart Card Certificates.
With Client Authentication enabled on an SSL virtual server, the NetScaler appliance asks for the Client Certificate during the SSL handshake. The appliance checks the certificate presented by the client for normal constraints, such as the issuer signature and expiration date. Here are some use cases:
- Require a valid Client Certificate before website content is displayed. This restricts website content to only authorized machines and users.
- Request a valid Client Certificate. If a valid Client Certificate is not provided, then prompt the user for Multi-Factor Authentication.
Client Authentication can be set to Mandatory, or Optional.
- If Mandatory, if the SSL Client does not transmit a valid Client Certificate, then the connection is dropped. Valid means: signed/issued by a specific Certificate Authority, and not expired or revoked.
- If Optional, then NetScaler requests the client certificate, but proceeds with the SSL transaction even if the client presents an invalid certificate or no certificate. This is useful for authentication scenarios (e.g. require two-factor authentication if a valid Client Certificate is not provided)
Note: Only user-based client certificates are supported. For device certificates (machine certificates), see Using Device Certificates for Authentication at Citrix Docs.SSL Client Authentication can be enabled on any NetScaler SSL Virtual Server.
- If SSL traffic goes through a Content Switching Virtual Server, then enable Client Authentication on the Content Switching Virtual Server. This includes Unified Gateway.
- Otherwise, enable it on a AAA Virtual Server, Load Balancing Virtual Server, or NetScaler Gateway Virtual Server.
SSL Client Authentication can be enabled directly at the SSL Virtual Server, or by binding an SSL Profile. If Default SSL Profiles are enabled, then you must use an SSL Profile to enable Client Authentication, which means you create an SSL Profile with Client Authentication enabled, and then bind the SSL Profile to the SSL Virtual Server.