Problem: Customer creates a local LoadMaster user login and also created a Kemp-signed client certificate for that user. They later revoke this certificate using the UI controls, but the user is still allowed to log in using the same certificate.

Explanation: It is the default behavior of the UI that local users with self-signed certificates are allowed to login even after the self-signed certificate expires, as long as that certificate was created by the Loadmaster itself.

Solution: To allow administrators to force LoadMaster self-signed client certificates to expire, a new switch has been provided that enables this checking for local UI logins.

When one of the three levels of client certificate support is enabled for UI login, there is a default minimal level of client certificate checking done in .57 and earlier; the default behavior in .58 (with the new option enabled) is exactly the same.

  • The client must provide a certificate. The certificate must be either:
    • A match for a certificate chain previously installed on the LM.
    • A Kemp-signed certificate whose SAN/CN field matches a local LM username. [The certificate chain is not validated in this case.]

With the new option disabled, LoadMaster will also check certificate chain validity for local user certificates -- and so revocation of a Kemp-signed certificate will now work.