Forum Discussion

AlexDC_262478's avatar
AlexDC_262478
Icon for Nimbostratus rankNimbostratus
May 05, 2016
Solved

Client Certificate Authentication - Machine or Client cert APM method

Hello,

 

I understand the Machine cert checker is a client-side check and the client cert checks are performed as part of SSL negotiation. What I'm not sure about is which method to use to do basic client/machine certificate checking on APM for correct CA and also CRL or OCSP checking. Is there much difference on a windows machine between the machine cert and client cert, is it just the cert location? Can you use either APM machine cert or client cert methods to validate the client certificate and achieve the same result? or are there limitations constraints with either,

 

thanks

 

BIG-IP Access Policy Manager (APM)
security
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    May 05, 2016

    Hello,

     

    Machine cert auth is heavy for the endpoint. The browser need admin rights to access and present the certificate located within the local machine store. That's why you need to install an helper from F5 on client devices. I think that it works with Microsoft devices only. My rules are if you need a 802.1x like solution so machine cert validation is the right solution. Otherwise, I would recommend to go with client cert auth that offer more flexibility and can be used outside APM. In both case Crl and ocsp checking works the same.

     

8 Replies

Sort By
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    May 05, 2016

    Hello,

     

    Machine cert auth is heavy for the endpoint. The browser need admin rights to access and present the certificate located within the local machine store. That's why you need to install an helper from F5 on client devices. I think that it works with Microsoft devices only. My rules are if you need a 802.1x like solution so machine cert validation is the right solution. Otherwise, I would recommend to go with client cert auth that offer more flexibility and can be used outside APM. In both case Crl and ocsp checking works the same.

     

    • AlexDC_262478's avatar
      AlexDC_262478
      Icon for Nimbostratus rankNimbostratus
      May 05, 2016
      thanks for the response, so the machine cert and client cert from an endpoint perspective are two different certs or in 2 different stores? i.e. is the decision to use which auth method driven also by which cert is installed on the endpoint i.e. corporate laptops, would a installed device certificate be available for machine cert auth and client cert auth? Also, I have read that machine cert didn't support CRL is that the case? thanks
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      May 05, 2016
      Machine certificate is in the MY within the Local computer store and require admin rights to get access. A user certificate is in the MY of the Personal store of the user connected. Your machine certificate should identify the device against network access like NAC, Wifi access, vpn access, etc. The question is do you want to identify the device itself or the user that try to connect to your service ? Mobile/Tablet devices do not have separated store for the device and the user and most of the time you use user certificates for that purpose. As far as I remember, CRL checking for machine certs works since v12 and we implemented a workaround on older versions
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    May 05, 2016

    Hello,

     

    Machine cert auth is heavy for the endpoint. The browser need admin rights to access and present the certificate located within the local machine store. That's why you need to install an helper from F5 on client devices. I think that it works with Microsoft devices only. My rules are if you need a 802.1x like solution so machine cert validation is the right solution. Otherwise, I would recommend to go with client cert auth that offer more flexibility and can be used outside APM. In both case Crl and ocsp checking works the same.

     

    • AlexDC_262478's avatar
      AlexDC_262478
      Icon for Nimbostratus rankNimbostratus
      May 05, 2016
      thanks for the response, so the machine cert and client cert from an endpoint perspective are two different certs or in 2 different stores? i.e. is the decision to use which auth method driven also by which cert is installed on the endpoint i.e. corporate laptops, would a installed device certificate be available for machine cert auth and client cert auth? Also, I have read that machine cert didn't support CRL is that the case? thanks
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      May 05, 2016
      Machine certificate is in the MY within the Local computer store and require admin rights to get access. A user certificate is in the MY of the Personal store of the user connected. Your machine certificate should identify the device against network access like NAC, Wifi access, vpn access, etc. The question is do you want to identify the device itself or the user that try to connect to your service ? Mobile/Tablet devices do not have separated store for the device and the user and most of the time you use user certificates for that purpose. As far as I remember, CRL checking for machine certs works since v12 and we implemented a workaround on older versions