(v12.0.9111.30500 started 2024-12-11 16:09:49 on VM2)
Note on Certificate Loading This note is valid for the keywords MIM, MIMCA, SSL, SSLCC, SSLCC2, C$SSLCC, C$SSLCC2, SSLTARGET and TOTPC. The certificates are loaded when the routing table is loaded, except for SSLCC2, C$SSLCC2 and SSLTARGET. Here any specified certificates will be loaded at session setup. Therefore when using the keyword SSLTARGET: If possible use the keyword SSLCC for better performance.
Certificates can be loaded in following ways:
For Windows using the Microsoft Certificate Store (Current User or Local Machine): certfile.cer[/CU][/LM] ... certfile is the path to a certificate file with public key (no private key) - ASN.1 DER is the only supported certificate format supported. - The certificate file is not restricted to .cer files. Any PKCS7 signed file can be used. - It is used to look up the thumbprint (SHA1 hash) of the certificate.
thumbprint[/CU][/LM] ... thumbprint is the SHA1 hash (40 hex digits) of the certificate to look for.
email:emailfilter[/CU][/LM] ... emailfilter may contain * as wildcards The first certificate with matching email addres will be loaded. Example: SSLCC:email:*lei*@applicgate.com/CU
In all cases the switches /CU (search within store CurrentUser) and /LM (search within store LocalMachine) are optional, only one swich may be specified. If no switches are specified: search in store CurrentUser first, then in store LocalMachine. The thumbprint (or email address) will be used to look for the certificate within the specified stores. The private key must be stored within the certificate store. The existence of the private key will be checked when loading the certificate. If the certificate is stored in the store LocalMachine: Check protection if the private key can be used or use the command chktyp!
To disable a password prompt when accessing the private key: When importing certificates into the Microsoft certificate store: Do not select "Enable strong private key protection". Hint: Ensure that HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection is set to 0 or 1 to allow deselection of this feature.
For Windows and Linux using .pfx or .p12 files: cert.pfx/pass cert.p12/pass ... cert.pfx or cert.p12 must be a PKCS12 file that includes the private key, pass is the password to decrypt the file Caution: Use this approach within a test environment only because the password is in clear text! pass must not contain a semicolon (;)
For Windows and Linux: localhost ... An embedded certificate for localhost is used. On Windows the signing certificate will be stored in "Trusted Certification Authorities" of the user.
Extension: For all keywords mentioned above a special group (the name of the group must start with "S_") can be used instead of the certfile argument. This group must contain one line with the certfile argument, e.g. cert.pfx/1234 This is especially useful for the keywords C$SSLCC and C$SSLCC2 to allow local selection of the certfile in downloaded autologon client routing entries.