Forum Discussion
Josiah_39459
Mar 22, 2016Historic F5 Account
You just need to add the CA bundle for the signer of your client certs. It's in a different section and completely independent of the server/vip cert.
If you want to force the clients to send their client certs, then yes, you need Require.
- justin_westove1Mar 22, 2016NimbostratusLet's say we have a single virtual server on the F5 and we want to authenticate multiple different clients using certs... each client would have their own certificate. Would this be possible? Also, I'm not really sure what you mean when you say "add the CA bundle for the signer of your client certs."? Here's the way I image this working. 1. I reach out to the customer to get a certificate from them that contains only the public key, they would maintain the private key for the certificate. I load the client certificate into the F5 file store and create a new client SSL profile. This profile would contain the certificate along with the CA bundle but would contain NO key file. I would also specific within the client SSL profile that client authentication was a requirement. 3. I would then go to my Virtual Server on the F5 and apply this new client certificate SSL profile. 4. Applying this profile would give me a total of 2 client certs configured on the same Virtual Server. The first cert would be the standard SSL cert used to encrypt the http session. The second cert would be used for client authentication. Thoughts?
- Josiah_39459Mar 22, 2016Historic F5 AccountI'm confused. Have you ever done client certification in any environment? I am mostly explaining how it works on F5, with the assumption you understand the general process. However, much of what you write is confusing to me. Let's try a more basic approach. ----------------------------------------------------------- Speaking generally, client certs are valid if they are signed by a signer you trust and they haven't expired. You want to trust clients with these certs usually because YOU (your domain controller) or someone you trust (parent/partner/sibling company) gave them these certs. Often not manually, but some automated process where they request a cert from some cert server under your administration and then install that cert on their "company" device. ----------------------------------------------------------- If you want to trust certs from multiple signers, no problem, just bundle all the signer's certs into your CA bundle. You should have these certs or get them easily, because they are the certs used by the cert server that issues the clients their certs.
- justin_westove1Mar 23, 2016NimbostratusI assume then that it's fine for the signer to be a public CA such as Verisign or Thawte? I just setup a local CA on the F5 for testing using the openssl commands and signed a cert using the CA. I then imported the CA cert and key into the F5 and created a new SSL profile and set the client authentication to require. I then created a new F5 VS and applied my public cert from Thawte on the VS under client SSL profile AND.... I applied the new F5 Local CA bundle (has client authentication enabled). When I attempted to save the configuration the F5 spit out the following error. ---------------> "Selected client SSL profiles do not match security policies for Virtual Server..." -------------- So the F5 can't have two certs on the same VS, one public with no client authentication and another being the CA bundle that I would use to authenticate my clients with client authentication enabled. Any thoughts on a way around this?