Previous Topic

Next Topic

Book Contents

Book Index

SSL - Client Certs - Overview

Just like the SSL server certificate is used to verify the identity of the server to the client, clients can also present SSL certificates to the server to help verify their identity. SSL certificates presented by a client to the server are called Client Certificates. While most SSL servers do not require clients to present their own certificates, more and more servers are starting to, as client certs provide an additional factor of authentication. MOVEit DMZ supports accepting or requiring client certs on both the FTP/SSL and HTTPS interfaces.

As is the case with almost any client key/certificate scheme, the higher security offered by cryptographic-quality client certificates is offset by additional administrative work. The SSL server must typically be configured to require client certificates or not (though IIS is able to accept client certificates if they are present, but still allow connections when they are not), and the client certificate must be trusted by the server for the connection to continue. Trusting a client certificate, like trusting a server certificate, requires either the certificate itself to be trusted, or the certificate be signed by a trusted Certificate Authority.

Client Certificate Connect/Authenticate Criteria

To use a client cert to authenticate a specific user to either the FTP/SSL or HTTPS interfaces, at least one of the following "CA" conditions and one of the following "credential" conditions must BOTH be true. Client certs must match one of the "CA" conditions in order to actually connect to MOVEit DMZ, while matching one of the "credential" conditions allows the client to authenticate to MOVEit DMZ.

Client Certificate Connect/Authenticate Example - Fixed Cert, Flexible Criteria

To illustrate how these conditions would apply to a real certificate, consider a client certificate with the following characteristics.

To use this certificate to connect and authenticate a specific user, one of the following "CA" conditions and one of the following "credential" conditions must be true.

Client Certificate Connect/Authenticate Example - Flexible Cert, Fixed Criteria

The following diagram provides an example in which the authentication criteria are fixed and a number of different client certs may be used for authentication. Please take a moment to find the following sections on the diagram:

Embedded OLE File Template, D75, H100

Given this configuration, various client certificates will connect and authenticate with various degrees of success, depending on the CN, Thumbprint and CA associated with each certificate. (Self-signed certificates are indicated by a large black bar where most other certificates list the name of their CA.)

Client Certificate Administration

As said above, the tradeoff for the increased security of client certificates is increased administrative overhead, however MOVEit DMZ tries to make it as easy as possible to manage users with client certs. Administration of client certs is done via the Edit SSL Client Certificates page, which is accessible from the User Profile. On the user profile page, click either the HTTP Policy or FTP Policy links...

Embedded OLE File Template, D75, H100

...then click on the Edit SSL Client Certificates link...

Embedded OLE File Template, D75, H100

This will take you to the client certificate management page for the user.

Embedded OLE File Template, D50, H100

From here, existing cert entries may be removed, new ones added manually, imported from a file or created from scratch A "Trusted CAs" link also provides quick access to the list of trusted CAs and the organizational CA used to sign any client certificates created through the web interface. The section at the bottom of the page also allows any pending Holding Tank entries to be accepted or removed.