Cisco Cisco Expressway 维护手册
■
Test whether a client certificate is valid when checked against the Expressway's current trusted CA list and, if
loaded, the revocation list (see
loaded, the revocation list (see
).
■
Test the outcome of applying the regex and template patterns that retrieve a certificate's authorization
credentials (the username).
credentials (the username).
You can test against:
■
a certificate on your local file system
■
the browser's currently loaded certificate
To test if a certificate is valid:
1.
Select the Certificate source. You can choose to:
—
upload a test file from your file system in either PEM or plain text format; if so click Browse to select the
certificate file you want to test
certificate file you want to test
—
test against the certificate currently loaded into your browser (only available if the system is already
configured to use Certificate validation and a certificate is currently loaded)
configured to use Certificate validation and a certificate is currently loaded)
2.
Ignore the Certificate-based authentication pattern section - this is only relevant if you are extracting
authorization credentials from the certificate.
authorization credentials from the certificate.
3.
Click Check certificate.
4.
The results of the test are shown in the Certificate test results section.
To retrieve authorization credentials (username) from the certificate:
1.
Select the Certificate source as described above.
2.
Configure the Regex and Username format fields as required. Their purpose is to extract a username from the
nominated certificate by supplying a regular expression that will look for an appropriate string pattern within
the certificate. The fields default to the currently configured settings on the Certificate-based authentication
configuration page but you can change them as required.
nominated certificate by supplying a regular expression that will look for an appropriate string pattern within
the certificate. The fields default to the currently configured settings on the Certificate-based authentication
configuration page but you can change them as required.
—
In the Regex field, use the
(?<name>regex)
syntax to supply names for capture groups so that matching sub-
patterns can be substituted in the associated Username format field, for example,
/(Subject:.*, CN=(?<Group1>.*))/m
.
—
The Username format field can contain a mixture of fixed text and the capture group names used in the
Regex. Delimit each capture group name with
Regex. Delimit each capture group name with
#
, for example,
prefix#Group1#suffix
. Each capture group
name will be replaced with the text obtained from the regular expression processing.
3.
Click Check certificate.
The results of the test are shown in the Certificate test results section. The Resulting string item is the
username credential that would be checked against the relevant authorization mechanism to determine that
user's authorization (account access) level.
The results of the test are shown in the Certificate test results section. The Resulting string item is the
username credential that would be checked against the relevant authorization mechanism to determine that
user's authorization (account access) level.
4.
If necessary, you can modify the Regex and Username format fields and repeat the test until the correct
results are produced.
Note that if the Certificate source is an uploaded PEM or plain text file, the selected file is temporarily
uploaded to the Expressway when the test is first performed:
results are produced.
Note that if the Certificate source is an uploaded PEM or plain text file, the selected file is temporarily
uploaded to the Expressway when the test is first performed:
—
if you want to keep testing different Regex and Username format combinations against the same file, you
do not have to reselect the file for every test
do not have to reselect the file for every test
—
if you change the contents of your test file on your file system, or you want to choose a different file, you
must click Browse again and select the new or modified file to upload
must click Browse again and select the new or modified file to upload
5.
If you have changed the Regex and Username format fields from their default values and want to use these
values in the Expressway's actual configuration (as specified on the Certificate-based authentication
configuration page) then click Make these settings permanent.
values in the Expressway's actual configuration (as specified on the Certificate-based authentication
configuration page) then click Make these settings permanent.
Note:
197
Cisco Expressway Administrator Guide