Managing Certificate Authority Certificates and CRL Files

The Traffic Manager can request that remote clients who connect over SSL provide a client certificate to authenticate themselves. To enable this behavior, configure the Traffic Manager with the public certificates from the Certificate Authorities (CAs) you trust, and optionally any Certificate Revocation Lists (CRLs) that they distribute.

With one or more CA certificates installed, each pool in your Traffic Manager configuration that has ssl_encrypt and ssl_strict_verify enabled then enforces authentication of certificates issued by the owner of the CA certificate when a connection is attempted.

To manage your CA certificates and CRLs, click Catalogs > SSL > Certificate Authorities and Certificate Revocation Lists Catalog.

To import a new CA or CRL file into the Traffic Manager, click Import certificate or CRL, and use one of the following methods:

•Click Choose File to upload a certificate or CRL file from your local workstation to the Traffic Manager.

•Type an HTTP URL or an HTTPS URL into the File URL box for the Traffic Manager to download directly.

•Type or copy the contents of a file into the File Contents box (PEM-encoded).

Click Import File to complete the process. The Traffic Manager imports the CA or CRL file and propagates the new information to all Traffic Managers in the cluster.

Make sure that the CA performs public key validity checks for certificates it issues in order to ensure cryptographic security when encrypted connections are made to nodes, or when virtual servers are configured to authenticate client certificates. For example, if FIPS Mode is enabled, only CAs known to have performed the checks as required by NIST SP 800-89 "Recommendation for Obtaining Assurances for Digital Signature Applications" (section 5.2) should be included in the CAs catalog.