AnsweredAssumed Answered

Accept all client certificates of intermediate CA

Question asked by Dommicentl on Feb 1, 2017
Latest reply on Feb 8, 2017 by Dommicentl

We have a client certificate that is signed by an intermediate certificate which is signed by a root certificate. Now we want to build a policy that allows all client certificate that are signed by the intermediate certificate.

 

We currently have the following policy

- Require SSL or TLS Transport with Client Certificate Authentication (So a client certificate has to be present)

- Authenticate Against Identity Provider

 

In the identity provider the intermediate certificate is added as a trusted certificate. This works however it seems that the intermediate certificate is never checked because the authentication works even without having the root certificate installed in the gateway. If we only add the root certificate as a trusted certificate for the identity provider, the authentication fails even if the client sends the whole certificate chain.

 

Are there any other ways to accept all client certificates signed by an intermediate certificate, where the whole certificate chain is checked?

Outcomes