Using Certificates in HTTPS Clusters
About Client Certificates
If you want to use client certificates with an HTTPS cluster, you’ll need to get a signed client
certificate from a CA, or create a self-signed certificate. A client certificate needs to be installed
on each client that will access the Equalizer cluster, as well as on Equalizer.
Just as with server certificates, you may need to install a client certificate and a chained root
certificate, if you obtain your certificates from a CA without its own Trusted Root CA certificate.
Some sites prefer to use self-signed certificates for clients, or set up their own local CA to issue
client certificates.
Client certificates can be used in two ways with Equalizer:
1. Install the entire client certificate chain on Equalizer. This requires that every client passes
the exact same certificate to Equalizer for validation.
2. Install an intermediate CA certificate as the client certificate on Equalizer. This allows
unique certificates to be used on clients and a single client certificate to be uploaded to
Equalizer. Following this method requires some certificate processing on the servers behind
Equalizer in order to prevent access by clients with revoked certificates. This method, there-
fore, should be used only under the following conditions:
a. If the site is able to use an intermediate CA, or multiple CAs, which signs all and
only certificates authorized for use with the cluster.
AND
b. If the application running on the servers behind Equalizer is able to perform Cer-
tificate Revocation List (CRL) processing by matching the CSN (certificate serial
number) to the intermediate CA's CRL, and does so for all requests,
THEN
c. Equalizer can safely support the use of individual client certificates for different
clients, by appropriately setting the verify depth option for the HTTPS cluster
and uploading the intermediate CA's certificate to the cluster as the client cer-
tificate. If client certificates use different CAs, multiple intermediate CAs can be
uploaded to Equalizer in a single file.
This method ensures that only certificates that pass the CRL check on the server can
be used to access the cluster. Note that this method also assumes that validating the
intermediate certificate only in (b) above is sufficiently secure for the site.
808
Copyright © 2014 Coyote Point Systems, A Subsidiary of Fortinet, Inc.
Содержание Equalizer GX Series
Страница 18: ......
Страница 32: ...Overview 32 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...
Страница 42: ......
Страница 52: ......
Страница 64: ......
Страница 72: ......
Страница 76: ......
Страница 123: ...Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 123 Equalizer Administration Guide ...
Страница 228: ......
Страница 238: ......
Страница 411: ...Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 411 Equalizer Administration Guide ...
Страница 459: ...Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 459 Equalizer Administration Guide ...
Страница 476: ......
Страница 492: ......
Страница 530: ......
Страница 614: ......
Страница 626: ......
Страница 638: ......
Страница 678: ......
Страница 732: ...Using SNMP Traps 732 Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc ...
Страница 754: ......
Страница 790: ......
Страница 804: ......
Страница 842: ......
Страница 847: ...Copyright 2014 Coyote Point Systems A Subsidiary of Fortinet Inc All Rights Reserved 847 Equalizer Administration Guide ...
Страница 866: ......