Client Certificate Profiles

A client certificate profile allows managing certificates that provide the security and authentication of network connections. The profile includes settings such as root certificate usage and validation methods. It can also define certificate validity terms and additional security features, such as authentication.

The client certificate profile verifies the user's certificates against the certificate authority's certificate chain. The required UPN user attributes specified in the profile must match the attributes in the certificate CN and\or SAN:principal name otherwise the certificate is considered invalid.

When certificate-based (PKI) authentication is selected, a preconfigured client certificate profile is specified pointing to certificates that can then be used in various NGFW subsystems, such as Captive portal, VPN, web portal, and reverse proxy.

To create a client certificate profile, go to Settings ➜ UserGate ➜ Client certificate profiles, click Add, and specify the desired settings:

Name

Description

Name

The name of the client certificate profile.

Description

An optional interface description.

Get username from

A field in the client certificate contains the username value for identification:

  • Common-name(CN): name (title) given to the subordinate CA.

  • Subject alt name: user UPN.

CA certificates

The root CA certificates assigned to the profile.

List of Certification Authority certificates. Used to validate the client-supplied certificate. The client certificate is checked for validity for each CA certificate in the list. The list is iterated from top to bottom.

Checking revoked certificates

The list of certificates that were revoked and cannot be used anymore. This list includes expired certificates and certificates that were stolen or compromised in any other way.

Certificate revocation status check method:

  • Do not check: do not check any certificate.

  • The whole chain: check all certificates in the chain and require that they are all valid.

  • User certificate: check only the client certificate.

  • Consider valid if the status has changed - if the CRL could not be verified for some reason, then it is considered valid (but it is still checked and may return invalid if the certificate is on the revocation list).

Check timeout

The time interval after which NGFW stops waiting for the response from the certificate revocation list service.

var glosarry_items = new Array; glosarry_items[1] = 'Процесс сравнения данных, предоставленных пользователем, для идентификации с эталонными, хранимыми в базе данных приложения либо сервиса.';