Enabling CA Access Gateway (formerly Secure Proxy Server) to send client certificate for authentication to a backend server

Document ID : KB000046086
Last Modified Date : 14/02/2018
Show Technical Document Details




The CA Access Gateway (formerly CA Secure Proxy Server) is used as a reverse proxy to connect users via the SPS to backend servers.  The connections from SPS to the backend servers will often be over SSL (ie accessed using HTTPS:) and the SPS may be required to present a client certificateto the backend server as part of the SSL handshake.    This article shows how to setup the client SSL certificate in SPS.




The SPS may be required to authenticate to the backend server using a client X.509 certificate.  TO do this the SPS needs to store the client certificate and the private key securely and then present them to the backend server when required.   




all (windows, linux, solaris)



For CA Access Gateway when connecting to a backend server, some configurations require not just an SSL connection, but also that the SPS identifies  itself with a client X.509 certificate.  These instructions are how to create and install the client certificate.

The requirements are mostly spelt out in the server.conf file : 

# SSL client authentication is enabled.

       # Location of the Key file : <install-dir>\SSL\clientcert\key\

       # Location of public certs : <install-dir>\SSL\clientcert\certs\

       # NOTE: Only put DER encoded, password encrypted pkcs8 keyfile.

       # Client pass phrase should be encrypted using EncryptUtil tool.


The points to take away are :

·         Both the cert and the keyfile need to be DER encoded,

·         The keyfile has to be DER encoded and encrypted (it cannot be in the clear)

·         SPS does a search and loads all certs in clientcert/certs directory.


Here are the steps : 


   Create the Cert Request

cd <install-dir>\SSL

..\bin\openssl req -out client2-CSR.csr -new -newkey rsa:2048 -nodes -keyout client2-privateKey.key -config ..\bin\openssl.cnf


Sign the Request


For this you send it to the Certificate Authority to sign and send you back the certificate from the request.

Generally for testing purposes your IT department will have some process for creating "test" certificates. 


In my case I have a small test CA I have small batch file CA that can do it gives a client2-CERT.pem  

(check what you get sometimes you have a .cer extension but the content is actually base64encoded PEM format).


Convert cert to DER encoding

..\bin\openssl x509 –in client2-Cert_x509.pem -out client2-Cert_x509.cer -outform der


Convert private key to encrypted pkcs#8 DER encoding

..\bin\openssl.exe pkcs8 -in client2-privateKey.key -topk8 -v2 des3 -out client2-privateKey-DER.key -outform DER


Put files in right location:

     Place DER encoded client cert in :  <install-dir>\SSL\clientcert\certs\



     Place encrypted DER encoded private key in :  <install-dir>\SSL\clientcert\key\



Generate Encrypted Password for server.conf file:

cd <install-dir>\SSL\bin
EncryptUtil.bat password

Encrypted string: U2FsdGVkX18VcMWDmBEJG7CL2edypl03V6Ig1F3gON4=


Modify the server.conf file :





Restart SPS and check the server.log file: 

All being well, you should see :  


[17/Mar/2016:00:43:54-948] [INFO] - NoodleFileKeyStore.java : Loading 1 root certificates.

[17/Mar/2016:00:43:54-980] [INFO] - NoodleFileKeyStore.java : Successfully loaded keyfile.

[17/Mar/2016:00:43:54-995] [INFO] - Password is password

[17/Mar/2016:00:43:54-995] [INFO] - loaded priv key

[17/Mar/2016:00:43:55-433] [INFO] - RSASSLConfig.java : Successfully loaded keystore.


The client and CA Certificate that were generated and used in this example are attached to this document. 


Additional Information:

 Java SE Debugging SSL/TLS Connections 


Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 Download


Details about SSL/TLS


Test Certificate Authority I used to sign the certificates 



File Attachments: