Eric, Maybe I'm wrong here, but in the new API to generate config files, you can have a single line separated with __RETURN__ instead of having to provision a bunch line entries.
Steve On Mon, Apr 30, 2018 at 2:49 PM, Eric Friedrich (efriedri) < efrie...@cisco.com> wrote: > Someone else may find this useful, so I thought I would share. (Apologies > for the earlier cross-post) > > > Configuring TLS Client Authentication in Traffic Control (Experimental > Testing Procedure) > ========= > Note: Trafficserver does not currently allow per-Delivery Service > (per-remap) configuration of client authentication. The below instructions > will enable client authentication for all HTTPS services on a given > profile/cache. > > 1) In TrafficOps, configure the Edge cache “Profile” to turn on client > authentication. Set the following parameters: > - name: CONFIG proxy.config.ssl.client.certification_level > - file: records.config > - value: INT 2 > Screenshot: https://cisco.box.com/s/lxtlfbfrbpnaa17cnp4dddj2p0wwzril > > - name: CONFIG proxy.config.ssl.CA.cert.filename > - file: records.config > - value: STRING etc/trafficserver/ssl/ca.crt > Screenshot: https://cisco.box.com/s/hq7vubwd9z0k1g8705eaagbvdg0aokjc > See below for instructions on generating the Certificate Authority (CA), > Certificate and private key. > > > You can add the CA file via TrafficOps, but its a painful process. > Please see the screenshot. If you wish to skip this step, you can scp the > file directly to the cache (/opt/trafficserver/etc/ > trafficserver/ssl/client_ca.crt) > Screenshot: https://cisco.box.com/s/849imlapxj1e30zi6y63a8fwd31swv21 > (Now that I know what a take and bake is, I think I was better off > before. Configuring a whole SSL Cert in here is pretty painful, but thanks > to Jeff for the help on this step) > > > 2) Queue and run ORT On caches to get updated settings > > 3) Verify by making a curl request > $ curl -k --cert ~/client_auth/client.crt --key > ~/client_auth/client.key -v https://edge-cache-1.cdn.cisco.com/test.m3u8 > > On success, you will receive the content. > > On failure, you will see something like: > [cloud-user trafficserver]$ curl -k -v https://edge-cache-1.cdn. > cisco.com/test.m3u8 > * About to connect() to localhost port 443 (#0) > * Trying ::1... > * Connected to localhost (::1) port 443 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * skipping SSL peer certificate verification > * NSS: client certificate not found (nickname not specified) > * NSS error -12227 (SSL_ERROR_HANDSHAKE_FAILURE_ALERT) > * SSL peer was unable to negotiate an acceptable set of security > parameters. > * Closing connection 0 > curl: (35) NSS: client certificate not found (nickname not specified) > > > Generating a Certificate Authority and Client Certificate (optional) > ========= > 1) Create the Certificate Authority Key > $ openssl genrsa -out client_ca.key 2048 > > 2) Generate the Certificate Authority Cert > $ openssl req -new -x509 -key ./client_ca.key -out client_ca.crt > > 2) Generate the Client Key and Certificate Signing Request > $ openssl req -newkey rsa:2048 -nodes -keyout client.key -out > client.csr > > 3) Use the Certificate Authority to sign the client certificate signing > request > $ openssl x509 -req -in ./client.csr -CA ./client_ca.crt -CAkey > ./client_ca.key -CAcreateserial -out client.crt > > 4) The client_ca.crt file is copied to the Trafficserver. The client > (curl) is given client.crt and client.key >
