I've been searching the manuals, help, and web for examples of having a USG110 allow HTTPS (SSL Admin access) with Authenticate Client Certificates, where the USG has previously created the client certificate as a self-signed certificate.
What I'm trying to work around is the documentation's requirement that the client certificate be signed by a separate CA, and that the USG put a certificate from that CA in its list of Trusted Certificates. I don't want to put the CA's certificate in my list of Trusted Certificates, because that could possibly open the door to any other certificates that the specific CA has signed. Please let me know if I'm misunderstanding this! Or being way too paranoid...
It seems like I should be able to give the client a self-signed certificate (with only the public key) and still have the USG be able to validate that certificate, since it has the original certificate with the matching private key.
>> Edit
Did I just get that backwards? For client authentication normally the client holds the private key and the server (USG) holds the public key. That way only the client with its private key can authenticate that public key...
Still figuring all this out.
Has anybody made this work, and if so how?
Thanks.
↧