It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda WAF-as-a-Service
Overview Documentation Training Certification Materials

Client Certification Authentication

  • Last updated on

You can authenticate users of your applications through a trusted certificate, rather than using passwords. Upload one or more trusted certificates from a Certificate Authority (CA) to enable users to access your applications. When a prospective user of your application connects to your server, their web client electronically presents their certificate for authentication. In return, your server can verify their certificate and, if it is acceptable, grant the user access to your application. 

Uploading a CA certificate to Barracuda WAF-as-a-Service requires a PEM file. Follow the instructions provided by your Certificate Authority to create a PEM file.

To Upload a CA Certificate

  1. In the WAF-as-a-Service web interface, click Applications in the left panel.

  2. On the Applications page, click on the application to which you want to upload the CA certificate.

  3. In the left panel, click Client Certification Authentication.

  4. Set Enable Client Certificate Authentication to ON.

  5. Click Add CA Certificate.

  6. On the Add Trusted (CA) Certificate window:

    1. Certificate Name - Enter a name for the certificate.

    2. Upload CA Certificate - Click Upload, locate the certificate, and click Open.

    3. Click Add.

To Add a HashiCorp Vault/AWS Secrets Manager Certificate

This feature is available only for applications deployed in custom containers.

  1. In the WAF-as-a-Service web interface, click Applications in the left panel.

  2. On the Applications page, click on the application to which you want to add the certificate.

  3. In the left panel, click Client Certification Authentication.

  4. Set Enable Client Certificate Authentication to ON.

  5. Click Add CA Certificate.

  6. On the Add Trusted (CA) Certificate window:

    1. Certificate Name - Enter a name for the certificate.

    2. Trusted (CA) Certificate - Click on the key icon. The name of the parameter changes to Certificate (Secret).

    3. Certificate (Secret) - Enter the certificate's secret path as stored in your key management system (AWS or HashiCorp) into the text box.

    4. Click Add.

Some customers use HashiCorp Vault to store “secrets” such as client certificates and private keys and other sensitive data and reference the path to these secrets on the Barracuda WAF-as-a-Service. This is supported with custom container deployments. In case of such a setup, the exported snapshot file will include the referenced secret mount path in the WAF-as-a-Service configuration. Secrets configured as part of the “Client Certificate” configuration element will be part of the exported snapshot file.

To ensure smooth operation and avoid service disruptions, providing a valid secret path from the vault and valid certificates for client authentication, server authentication, and endpoint security is crucial. Specifying an incorrect path or providing invalid certificates can cause the container to enter a continuous restart loop, leading to service unavailability.