Modify a Rule Set to Configure Server Certificates
The Authentication Server (for X509 Authentication) rule set needs to be modified to ensure appropriate server certificates are submitted for the authentication server. The modification is done in a nested rule set.
Because it is possible to reach the authentication server under different host names and IP addresses, you can let the appliance submit a different server certificate each time, so that the host name or IP address is matched by the common name in the certificate.
To achieve this, you need to import a server certificate for each host name or IP address and add it to the list of server certificates.
- Select Policy | Rule Sets and expand the Authentication Server (for X509 Authentication) rule set.
- Expand the nested SSL Endpoint Termination rule set and, within this rule set, select the nested Accept Incoming HTTPS Connections rule set.
- In the Set client context rule, click the Proxy Certificate event settings.
The Edit Settings window opens. - In the Define SSL Context section, review the list of server certificates.
- To add a server certificate to the list:
- Click the Add icon above the list.
The Add Host to Certificate Mapping window opens. - In the Host field, enter the host name or IP address that the certificate should be submitted for.
- Click Import.
The Import Server Certificate window opens. - Click Browse and browse to the certificate you want to import.
- Repeat this activity to import a key and certificate chain with the certificate.
- Click OK.
The window closes and the import is performed. The certificate information appears in the Add Host to Certificate Mapping window.
- Click the Add icon above the list.
- [Optional] In the Comment field, type a plain-text comment on the server certificate.
- Click OK.
The window closes and the server certificate appears in the list. - Make sure the SSL-Scanner functionality applies only to client connection checkbox is selected.
This lets the appliance accept requests from its clients without contacting other servers of the network, which is not required in this communication. - Click OK to close the Edit Settings window.
- Click Save Changes.