Exchange of digital certificates in a client-proxy-server network configuration

摘要

Various techniques are described to authenticate the identity of a proxy in a client-proxy-server configuration. The configuration may have a client-side and a server-side SSL session. In the server-side session, if the proxy has access to the private keys of the client, the proxy may select a client certificate from a collection of client certificates and send the selected certificate to the server to satisfy a client authentication request of the server. If the proxy does not have access to the private keys, the proxy may instead send an emulated client certificate to the server. Further, the client certificate received from the client may be embedded within the emulated client certificate so as to allow the server to directly authenticate the client, in addition to the proxy. An emulated client certificate chain may be formed instead of an emulated client certificate. Similar techniques may be applied to the client-side session.

主权项

1. A method for providing a client certificate from a proxy to a server, the proxy communicatively coupled between a client and the server, the method comprising:
configuring at the proxy a collection of one or more client certificates and one or more client private keys, each client certificate corresponding to a client private key; defining a policy at the proxy which selects one of the client certificates based on information associated with an identity of the client; in response to a request from the server to the proxy to authenticate the identity of the client, selecting one of the client certificates based on the defined policy; and transmitting the selected client certificate from the proxy to the server.