Client Consent Certificates and the ProxySG

<< Back to Knowledge Search



Client Consent Certificates and the ProxySG
Using Client Consent Certificates
You want information about using Client Consent Certificates


The SSL Proxy, in forward proxy deployments, can specify whether a client certificate is required. These certificates are used for user consent, not for authentication. Whether they are needed depends upon local privacy laws.

With client consent certificates, each user is issued a pair of certificates with the corresponding private keys. Both certificates have a meaningful user-readable string in the common name field. One certificate has a string that indicates grant of consent something like: Yes, I agree to SSL interception. The other certificate has a common name indicating denial of consent, something like: No, I do not agree to SSL interception.

Policy is installed on the ProxySG to look for these common names and to allow or deny actions. For example, when the string Yes, I agree to SSL interception is seen in the client certificate common name, the connection is allowed; otherwise, it is denied.

To Configure Client Consent Certificates:

  1. Install the issuer of the client consent certificates as a CA certificate.
  2. In VPM, configure the Require Client Certificate object in the Action column of the SSL Layer.
  3. Configure the Client Certificate object in the Source column to match common names.
Additional Information
Bug Number
InQuira Doc IdKB1409

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 4, SGOS 5
Topic      Services, SSL / HTTPS
Article Number      000008552
Was this helpful?
Previous MonthNext Month