Forum Discussion
39 Replies
- Spidey_29396Nimbostratus
profile clientssl new_web { defaults from clientssl key "new_web.key" cert "new_web.crt" ca file "new_web.crt" peer cert mode require }
- Kevin_StewartEmployee
It appears you're using the same certificate for the server cert and the trusted CA. This might only work if the client was also using this same cert and key to authenticate. The client and server certificates in an SSL handshake do not have to be (and rarely are) issued from the same CAs, but the trusted CA file MUST match the issuer of the client's cert.
- dragonflymrCirrostratus
Hi, Try this solution: https://support.f5.com/kb/en-us/solutions/public/14000/400/sol14499.html
I followed outlined steps and client side certificate authentication worked without problem.
Piotr
- Rafa_Ayala_1738Nimbostratus
Hi ,
In the sol : https://support.f5.com/kb/en-us/solutions/public/14000/400/sol14499.html
To create the Client SSL profile, use the following command syntax: create /ltm profile client-ssl ca-file client-cert-ca cert key peer-cert-mode require
For example, to create a new Client SSL Profile sample-clientssl by using the client certificate client1-cert, the client key client1-key, require client certificate mode, and the trusted CA and Advertised Certificate Authorities is clientCA-cert, type the following command: create /ltm profile client-ssl sample-clientssl ca-file clientCA-cert.crt client-cert-ca clientCA-cert.crt cert site-cert.crt key site-key.key peer-cert-mode require
What are these certificates? ( site-cert.crt key site-key.key )
Thank you
- dragonflymrCirrostratusHi, Those are your web server cert and key used for standard SSL Handshake by server to which client is connecting. So the ones you have to set for clientssl profile without client authentication. I GUI you are setting those for clientssl profile in Configuration section - Certificate and Key fields. Piotr
- Rafa_AyalaNimbostratus
Hi ,
In the sol : https://support.f5.com/kb/en-us/solutions/public/14000/400/sol14499.html
To create the Client SSL profile, use the following command syntax: create /ltm profile client-ssl ca-file client-cert-ca cert key peer-cert-mode require
For example, to create a new Client SSL Profile sample-clientssl by using the client certificate client1-cert, the client key client1-key, require client certificate mode, and the trusted CA and Advertised Certificate Authorities is clientCA-cert, type the following command: create /ltm profile client-ssl sample-clientssl ca-file clientCA-cert.crt client-cert-ca clientCA-cert.crt cert site-cert.crt key site-key.key peer-cert-mode require
What are these certificates? ( site-cert.crt key site-key.key )
Thank you
- dragonflymrCirrostratusHi, Those are your web server cert and key used for standard SSL Handshake by server to which client is connecting. So the ones you have to set for clientssl profile without client authentication. I GUI you are setting those for clientssl profile in Configuration section - Certificate and Key fields. Piotr
- Rafa_AyalaNimbostratus
Thanks Piotr
I have 2 problems:
followed the solution: https://support.f5.com/kb/en-us/solutions/public/14000/400/sol14499.html
and step:
Applying the certificates and keys to a Client SSL profile
when I create the ssl profile:
create / LTM ssl client-profile (profile name) ca-file cert.crt clientCA-client-cert-ca cert clientCA-cert.crt client1.crt client1.key key peer-cert-mode requires
there is an error:
010717e3: 3: Client profile must have RSA SSL certificate / key pair.
I understand that when I follow this solution, set up an CA and signed certificates, I wonder if I can issue one certificate for client authentication and one for the public IP or URL I have in the VS
thanks
- dragonflymrCirrostratusHi, I can't help you with finding error in tmsh command - never used it to set clientssl profile. Considering GUI setup for profile requiring client certificate based authentication my findings are: In Configuration part of profile certificate and private key (with chain if necessary) is set - this is cert and key that server is using to prove it's identity and generate bulk encryption key (pre master secret, then master key). It is completely separate cert and key from the one client is using. Client cert can be signed by completely different CA than server cert (for example server cert can be self signed but client cert signed by some well know CA or private CA of the company). Client cert and key has to be installed on client workstation and browser, it is used by client to prove that he is what he claims he is, server cert and key is to allow server to prove that he is who he claims he is (and of course server cert is necessary to encrypt traffic, client cert or key is not used for that at all) Notice that only thing you need to set in Client Authentication section of the clientssl profile is CA/CAs that server trust. CA that signed client cert has o be one of the CAs defined in this cert/chain cert set here. Advertised Certificate Authorities is not so important, it can be set but is not necessary to perform successful client certificate based authentication. I advice to use Wireshark to trace SSLHandshake to understand and troubleshoot errors. Great resource to read is this article series https://devcentral.f5.com/articles/ssl-profiles-part-1 - I learned lot here and it helped me to figure out how to configure profile and how to troubleshoot issues. Piotr
- Rafa_Ayala_1738Nimbostratus
Thanks Piotr
I have 2 problems:
followed the solution: https://support.f5.com/kb/en-us/solutions/public/14000/400/sol14499.html
and step:
Applying the certificates and keys to a Client SSL profile
when I create the ssl profile:
create / LTM ssl client-profile (profile name) ca-file cert.crt clientCA-client-cert-ca cert clientCA-cert.crt client1.crt client1.key key peer-cert-mode requires
there is an error:
010717e3: 3: Client profile must have RSA SSL certificate / key pair.
I understand that when I follow this solution, set up an CA and signed certificates, I wonder if I can issue one certificate for client authentication and one for the public IP or URL I have in the VS
thanks
- dragonflymrCirrostratusHi, I can't help you with finding error in tmsh command - never used it to set clientssl profile. Considering GUI setup for profile requiring client certificate based authentication my findings are: In Configuration part of profile certificate and private key (with chain if necessary) is set - this is cert and key that server is using to prove it's identity and generate bulk encryption key (pre master secret, then master key). It is completely separate cert and key from the one client is using. Client cert can be signed by completely different CA than server cert (for example server cert can be self signed but client cert signed by some well know CA or private CA of the company). Client cert and key has to be installed on client workstation and browser, it is used by client to prove that he is what he claims he is, server cert and key is to allow server to prove that he is who he claims he is (and of course server cert is necessary to encrypt traffic, client cert or key is not used for that at all) Notice that only thing you need to set in Client Authentication section of the clientssl profile is CA/CAs that server trust. CA that signed client cert has o be one of the CAs defined in this cert/chain cert set here. Advertised Certificate Authorities is not so important, it can be set but is not necessary to perform successful client certificate based authentication. I advice to use Wireshark to trace SSLHandshake to understand and troubleshoot errors. Great resource to read is this article series https://devcentral.f5.com/s/articles/ssl-profiles-part-1 - I learned lot here and it helped me to figure out how to configure profile and how to troubleshoot issues. Piotr
- Rafa_AyalaNimbostratus
Thank you ,
Configure again and these are my results:
Debug SSL :
May 27 13:26:42 asm03 debug tmm1[14565]: 01260006:7: Peer cert verify error: self signed certificate (depth 0; cert /C=MX/ST=DISTRITO FEDERAL/L=CIUDAD DE MEXICO/O=Servicios C.V/OU=Sitemas/CN=wit.com.mx/emailAddress=xxxxxx) May 27 13:26:42 asm03 debug tmm1[14565]: 01260009:7: Connection error: ssl_shim_vfycerterr:3580: self signed certificate (48) May 27 13:26:42 asm03 info tmm1[14565]: 01260013:6: SSL Handshake failed for TCP x.x.x.x:57862 -> x.x.x.x:8120
send costumer the certificates:
remote device:
client1.p12
F5 ASM:
set in: client authentication clientCA.crt and clientCA.key
- dragonflymrCirrostratus
Well, from trace it looks for me that you are using self-signed certificate as client certificate (one installed in browser). I doubt it will work as only CA is certificate itself (if I can say so). Then there is no way to place any valid CA certificate in Trusted Certificate Authority field.
I did it as described in solution mentioned in my old post:
Using openssl Created private CA (generating key and certificate)
Issue CSR for client certificate
Get it signed by my CA
Then convert client key/cert pair to PKCS12
Import in browser as User certificate for authentication
Select my private CA certificate in Trusted Certificate Authority field (sure imported it first into LTM via System > File Management > SSL Certificate List)
After that everything works like a charm.
Of course if you using some public well known CA for signing client certificate you have to set this CA in Trusted Certificate Authority field (or probably build in ca-bundle will work)
Piotr
- Rafa_AyalaNimbostratus
use the solution : SOL14499
[root@asm03:Active:Standalone] exampleCA ls client1.crt client1.key client1.p12 client1.pem client1.req clientCA.crt clientCA.key clientCA.p12 clientCA.pem client2.crt
convert client key/cert pair to PKCS12 and send costumer the certificate: client1.p12
set in my ASM trusted certificate Autorities with the certificate : clientCA.crt
set in the profile ssl configuration :
wifi_host_test1 = client2.crt(self signed by my CA "clientCA-cert) <<<<<
Thank You
- dragonflymrCirrostratusI assume that it started to work? I really missed "using F5's self-signed certificate" part of this post subject :-( I doubt it's possible to use self-signed cert as client cert - it breaks logic of certificate based authentication. Piotr