Forum Discussion
Josiah_39459
Historic F5 Account
You just need to add the CA bundle for the signer of your client certs. It's in a different section and completely independent of the server/vip cert.
If you want to force the clients to send their client certs, then yes, you need Require.
justin_westove1
Mar 22, 2016Nimbostratus
Let's say we have a single virtual server on the F5 and we want to authenticate multiple different clients using certs... each client would have their own certificate. Would this be possible?
Also, I'm not really sure what you mean when you say "add the CA bundle for the signer of your client certs."? Here's the way I image this working.
1. I reach out to the customer to get a certificate from them that contains only the public key, they would maintain the private key for the certificate. I load the client certificate into the F5 file store and create a new client SSL profile. This profile would contain the certificate along with the CA bundle but would contain NO key file. I would also specific within the client SSL profile that client authentication was a requirement.
3. I would then go to my Virtual Server on the F5 and apply this new client certificate SSL profile.
4. Applying this profile would give me a total of 2 client certs configured on the same Virtual Server. The first cert would be the standard SSL cert used to encrypt the http session. The second cert would be used for client authentication.
Thoughts?