Client Authentication: Several 'trusted root CA' for one HTTPS VIP ?

Employee

Apr 30, 2013

1st question: you can create your own bundle file by adding both CA's certificates to a single certificate object in the GUI (choose paste text and paste X509 of both CA certs). Applying this ONE bundle file to a single client SSL profile in the VIP will allow client certificates issued by either of the two CAs to validate. When you add multiple client SSL profiles to a VIP it assumes that you're doing SNI, for which you'd have to configure one (or neither) as the default.

2nd question: I can't speak to the origin of the property name, but an Advertised Certificate Authorities certificate, or rather bundle of certificates (see above) provides a "root hint" mechanism in the SSL negotiation. During the SSL negotiation with client certificate authentication, the server will say "CertificateRequest" to the client, meaning that it wants a certificate. If you apply an Advertised Certificate Authorities bundle then the server will also send a list of issuers that it will accept from the client. In IE in most browsers this equates to a filtered list of client certificates in the certificate prompt.

Forum Discussion

Client Authentication: Several 'trusted root CA' for one HTTPS VIP ?

Recent Discussions

Rundeck ansible F5 errors

What is the meaning is 52% block in WAF

rewrite Azure AD response for portal access via web portal

AS3 Monitoring multiple ports selectively

Open Redirection Mitigation

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Trust your CDN, but not completely

Copy over self IPs from several partitions

Doing mTLS Authentication per URL

Creating device trust / trust-domain through iControl REST Call(s)