We have a client certificate that is signed by an intermediate certificate which is signed by a root certificate. Now we want to build a policy that allows all client certificate that are signed by the intermediate certificate.
We currently have the following policy
- Require SSL or TLS Transport with Client Certificate Authentication (So a client certificate has to be present)
- Authenticate Against Identity Provider
In the identity provider the intermediate certificate is added as a trusted certificate. This works however it seems that the intermediate certificate is never checked because the authentication works even without having the root certificate installed in the gateway. If we only add the root certificate as a trusted certificate for the identity provider, the authentication fails even if the client sends the whole certificate chain.
Are there any other ways to accept all client certificates signed by an intermediate certificate, where the whole certificate chain is checked?
In the scenario you outlined, it sounds as though the intermediate certificate you have imported has the Trusted Anchor checked on the Validation tab. If you want the entire chain validated you need to import the CA and ensure that the Trusted Anchor is checked and import the Intermediate CA without the Trusted Anchor selected then it will accept all certificates signed by the Intermediate CA and validate up the entire chain. The gateway by default trusts no certificate CA so each level needs to be instructed to be trusted.
Director, CA Support
Thank you for your response. During our tests in fact the trust anchor was not checked and that was why we found the behavior and the fact that the gateway accepted the response strange. By closer examining the settings of the gateway we found that our default certificate validation settings were not correct. They were set on "Validate" instead of "Validate Certificate Path". When we changed the setting, we indeed get the behavior you described en the behavior we want.