Enabling certificate verification, Configuring a ca certificate file – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

128

Brocade Virtual ADX Security Guide

53-1003250-01

Advanced SSL profile configuration

6

Enabling certificate verification

The Brocade Virtual ADX can be optionally configured to enforce client certificate verification. When
client certificate verification is configured, the Brocade Virtual ADX requires all clients to present
their signed certificates. The certificates are compared against trusted CAs and a connection is
allowed or denied.

You can enable client certificate verification on a per-ssl-handshake or per-connection basis in one
of two modes:

•

Request mode

•

Require mode

In request mode, a client-certificate is requested. The connection is allowed if the client presents a
valid certificate, or if a certificate is not presented at all. The connection is denied if a client
presents an invalid, revoked, or expired certificate.

In require mode, a client-certificate is always required.

Client-authentication can be used in the following four combinations:

•

Per-connection request

•

Per-connection require

•

Per-ssl-handshake request

•

Per-ssl-handshake require

Syntax: verify-client-cert per-ssl-handshake/per-ssl-connection request/require

•

per-ssl-handshake - Requests a client certificate for every new SSL handshake.

•

per-connection - Requests a client certificate for every new SSL connection.

The difference between the two modes is apparent if SSL session caching is enabled. When this is
the case, multiple SSL connections share the same SSL session, without performing a full SSL
handshake for each connection.

Configuring a CA certificate file

If you have enabled client certificate verification, you must configure a CA certificate under the SSL
profile. CA certificates are used by the Brocade Virtual ADX to verify the validity of certificates
presented by incoming clients.

CA certificates are typically imported from outside using SCP, in PEM format and are stored in the
secondary memory, just like regular certificate files.

Up to four CA certificate files can be specified under each SSL profile. Each CA certificate file can
contain multiple CA certificates (although to keep configurations simple, We recommend that
different CA certificates be stored in different files).

You can include up to 32 DN names for all root or intermediate CA certificates. This allows clients to
select appropriate CA and intermediate CA certificates for communication with a Brocade Virtual
ADX.

Unlike regular certificates, there is no need to load the corresponding key pair into the profile
before configuring a CA certificate since the CA certificate belongs to the Certificate Signing
Authority, meaning the key pair is private and not be publicly available. The following example
specifies the CA certificate file named "certfile1" for SSL profile "profile1".