Forum Discussion

Altostratus

Nov 27, 2019

Mutual auth using client certificate

Hi , I have a quick question about the mutual auth using the client certificate on the F5. The existing set up is to validate the incoming certificate from the client then allow the access t...

Cumulonimbus

Nov 27, 2019

Hi Reddy,

AFAIK you can't just modify the serverssl profile on the fly, and anyway, you will not have the Client Private Key in order to impersonnate him for mutual auth. If the backen application really requires the certificate information, 2 option in my options :

1 - If the backend requires SSL Mutual Auth (at the SSL connexion Level), you can use Client certificate constrained delegation

2 - If the backend can read HTTP Headers and doesn't require TLS Mutual Auth at connexion level, you can potentially add the Client certificate in an HTTP header as described here : https://devcentral.f5.com/s/question/0D51T00006i7UPA/inserting-ssl-client-certificate-into-the-header-of-the-http-session. But ensure that only the BigIP injects that header (delete header with the same name coming from Internet) otherwise you may cause a security issue :)

Hope this gives you pointers...

Yoann

Forum Discussion

Mutual auth using client certificate

Recent Discussions

Migration from i series 10200 with 1 child VCMP to r series 10900 series

Open Redirection Mitigation

GTM Packet Capture command

How to Implement 2 Way SSL in F5 LTM

BWC iRule

Related Content

Slack Mutual TLS Recipe: Adding X-Client-Certificate-SAN header from client certificate

What is Mutual TLS (mTLS)?

Thumbprint of the client ssl certificate

Verifying Slack Requests with Mutual TLS

BIG-IQ Client Certificate (PKI) Authentication