You are here

Front-end Client Certificate Authentication

Affects version(s): 

This article describes a common pitfall when front-end client certificate authentication is configured with Airlock.


If client certificate authentication is configured on Airlock make sure that all Certificate Authorities (CA) the client certificate is depending on, including intermediate CAs, are configured in the corresponding virtual host. The intermediate CA certificates should be configured under "Virtual Host" - "Client Certificates" - "CAs for chain validation" as shown in the following screenshot. The window on the right side shows a client certificate with an intermediate CA certificate (blue box) in Firefox. 

Import intermediate CA certificate


By enabling client certificate authentication on a Virtual Host or Mapping the client must send an SSL certificate during the SSL handshake to Airlock. Depending on the type of the client certificate store the user may have to approve this process by entering a PIN or accepting a popup message.

If the client is trying to re-use an already authenticated SSL session in a later request, which is usually the case after the keep-alive of the TCP session is over, Airlock is trying to validate the request without requesting the client certificate again. This improves the performance of the communication and reduces the number of times the user is asked to approve accessing the certificate store.

Airlock has to cache the client certificate from the initial handshake to validate a re-used SSL session without requesting the client certificate again. Because Airlock is not caching intermediate CA certificates these certificates must be configured in the Virtual Host. If the client certificate depends on a CA certificate which is not configured in the Virtual Host and an SSL session is reused, Airlock will response with a HTTP 403 Access Forbidden.

Note that with a missing intermediate CA in the Airlock configuration, the initial SSL handshake will still be successful because the client usually sends the intermediate CA certificates together with the client certificate. This fact makes it quite difficult to detect missing CA certificates in the Airlock configuration.

Knowledge Base Categories: