Is there any support for SSL client certificates prior to SGOS

<< Back to Knowledge Search



SGOS introduced support for presenting entire client certificates to SSL servers that require client certificate authentication (see 000010410 for more information). Prior to this release, there indeed was support for client certificates but to a limited extent.

It is possible for the ProxySG on versions prior to to verify the client's certificate and forward it (not the entire certificate but certain attributes) when intercepted on an HTTPS-Reverse-Proxy service as explained in 000013836 and shown in the image below .

However, this article is specific to the ProxySG's ability to send the entire client certificate to a server when required. Prior to, sending the entire client certificate to a server that requires it was supported but it was limited to the use of only one certificate per ProxySG unit. Quite simply, when setting a keyring in the SSL client of the ProxySG, it will use the certificate of that keyring whenever a server requests a client certificate. While not accommodating for multiple servers that require different certificates, this functionality is rather ideal for reverse proxy deployments where the back-end server(s) require(s) client certificate authentication and (if more than one server) they all accept the same certificate or root/intermediate CA.

For example: If you created a keyring with a signed certificate by submitting a certificate signing request (CSR) you can associate that keyring with the SSL client to be used for client certificate authentication to the backend server(s). This can be set by going to the Management Console>Configuration>SSL>SSL Client (see image below):


*Note: To be clear, the limitation here is that setting the SSL client keyring only allows you to use the same certificate for any and all SSL servers to which the ProxySG connects which require a client certificate.

** Apart from the above scenarios, if you have problems with access to an HTTPS site that requires a client certificate and you're either running a version of SGOS previous to or you don't otherwise have the client certificate to install, then you will need to force the SG to TUNNEL the connection when the server sends a "Certificate Request". For more information on this, see 000011271.




Additional Information
Bug Number
InQuira Doc IdFAQ2215

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 4, SGOS 5, SGOS 6
Article Number      000012017
Was this helpful?
Previous MonthNext Month