example) ● mod_cluster (httpd dynamic load balancer) ● Undertow proxy (jboss servlet container) ● Ingress (in kubernetes, well Nginx or GCE) ● Traffic Server ● Nginx 10/12/22 13 Other protocols ● Jboss-remoting 10/12/22 21 Using TLS (1 httpd) httpd.conf SSLProxyEngine on SSLProxyCACertificateFile "/etc/pki/CA/cacert.pem" ProxyPass "/examples" "https://localhost:8443/examples" ProxyPassReverse "/examples"

Creating a Root-Level CA As noted earlier, each certificate requires an issuer to assert the validity of the identity of the certificate subject, up to the top-level Certificate Authority (CA). This presents called Server Gated Cryptography (SGC) and requires a Global ID server certificate, signed by a special CA certificate from Verisign. This enables strong encryption in 'export' versions of browsers, which traditionally your own CA certificate (ca.crt) and then verify the clients against this certificate. httpd.conf # require a client certificate which has to be directly # signed by our CA certificate in ca.crt SSLVerifyClient

Creating a Root-Level CA As noted earlier, each certificate requires an issuer to assert the validity of the identity of the certificate subject, up to the top-level Certificate Authority (CA). This presents called Server Gated Cryptography (SGC) and requires a Global ID server certificate, signed by a special CA certificate from Verisign. This enables strong encryption in 'export' versions of browsers, which traditionally your own CA certificate (ca.crt) and then verify the clients against this certificate. httpd.conf # require a client certificate which has to be directly # signed by our CA certificate in ca.crt SSLVerifyClient

Creating a Root-Level CA As noted earlier, each certificate requires an issuer to assert the validity of the identity of the certificate subject, up to the top-level Certificate Authority (CA). This presents called Server Gated Cryptography (SGC) and requires a Global ID server certificate, signed by a special CA certificate from Verisign. This enables strong encryption in 'export' versions of browsers, which traditionally your own CA certificate (ca.crt) and then verify the clients against this certificate. httpd.conf # require a client certificate which has to be directly # signed by our CA certificate in ca.crt SSLVerifyClient

Creating a Root-Level CA As noted earlier, each certificate requires an issuer to assert the validity of the identity of the certificate subject, up to the top-level Certificate Authority (CA). This presents called Server Gated Cryptography (SGC) and requires a Global ID server certificate, signed by a special CA certificate from Verisign. This enables strong encryption in 'export' versions of browsers, which traditionally your own CA certificate (ca.crt) and then verify the clients against this certificate. httpd.conf # require a client certificate which has to be directly # signed by our CA certificate in ca.crt SSLVerifyClient

Creating a Root-Level CA As noted earlier, each certificate requires an issuer to assert the validity of the identity of the certificate subject, up to the top-level Certificate Authority (CA). This presents called Server Gated Cryptography (SGC) and requires a Global ID server certificate, signed by a special CA certificate from Verisign. This enables strong encryption in ’export’ versions of browsers, which traditionally your own CA certificate (ca.crt) and then verify the clients against this certificate. httpd.conf # require a client certificate which has to be directly # signed by our CA certificate in ca.crt SSLVerifyClient

Creating a Root-Level CA As noted earlier, each certificate requires an issuer to assert the validity of the identity of the certificate subject, up to the top-level Certificate Authority (CA). This presents called Server Gated Cryptography (SGC) and requires a Global ID server certificate, signed by a special CA certificate from Verisign. This enables strong encryption in 'export' versions of browsers, which traditionally your own CA certificate (ca.crt) and then verify the clients against this certificate. httpd.conf # require a client certificate which has to be directly # signed by our CA certificate in ca.crt SSLVerifyClient

Creating a Root-Level CA As noted earlier, each certificate requires an issuer to assert the validity of the identity of the certificate subject, up to the top-level Certificate Authority (CA). This presents signed by your own CA certificate (ca.crt) and then verify the clients against this certificate. # require a client certificate which has to be directly # signed by our CA certificate in ca.crt SSLVerifyClient SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile conf/ssl.crt/ca.crt How can I force clients to authenticate using certificates for a particular URL, but still allow arbitrary clients to access the

Creating a Root-Level CA As noted earlier, each certificate requires an issuer to assert the validity of the identity of the certificate subject, up to the top-level Certificate Authority (CA). This presents signed by your own CA certificate (ca.crt) and then verify the clients against this certificate. # require a client certificate which has to be directly # signed by our CA certificate in ca.crt SSLVerifyClient SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile "conf/ssl.crt/ca.crt" How can I force clients to authenticate using certificates for a particular URL, but still allow arbitrary clients to access

Creating a Root-Level CA As noted earlier, each certificate requires an issuer to assert the validity of the identity of the certificate subject, up to the top-level Certificate Authority (CA). This presents signed by your own CA certificate (ca.crt) and then verify the clients against this certificate. # require a client certificate which has to be directly # signed by our CA certificate in ca.crt SSLVerifyClient SSLVerifyClient require SSLVerifyDepth 1 SSLCACertificateFile conf/ssl.crt/ca.crt How can I force clients to authenticate using certificates for a particular URL, but still allow arbitrary clients to access the