Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Client authentication fails when set to require.

I have put client authentication to require.

I have CA chain in trusted certificates authorities and a certificate and key in certificate and key place. I exported both certificate and key out of f5 and converted it to .pfx and put in client browser. Also all the CA are also in browser.

When i set client authentication to request green lock is shown on browser but when i set it to require handshake fails.

Please help me. I can give all the date anyone require.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Muhammad,

The idea is that there are two endpoint-certificates: one for the server, in this case the F5's client-ssl profile, and one for the client, in this case your browser. Both certificates should be signed by a CA, it doesn't have to be the same CA though. You could theoretically use the same certificate for both, but that makes little sense.

The client-ssl profile allows you to configure a few things:

  • in order to have the F5 act as 'server' it needs:
    • a certificate (containing the public key)
    • the corresponding private key
    • the chain of certificates up to the root, excluding the root certificate itself.
  • in order to have the F5 act as 'server that requests a client certificate' it also needs:
    • to be enabled to request or require a client certificate (request means that when it fails, it simply ignores that, require means that you'll get a handshake failure message)
    • a CA to validate the certificate that your browser will send (Trusted Certificate Authorities)
    • a list of CAs to tell your browser which certificates it can try sending (Advertised Cettificate Authorities)

If the F5 says that the browser must (=>setting on require) send a certificate that was signed by a CA with common name 'TEST' (Advertised Certificate Authorities), but the browser doesn't have such a client certificate, it will simply fail to send and the F5 will abort the connection with a handshake failure message.

Does this answer your question?

Kind regards,

Thomas Schockaert

2
Comments on this Answer
Comment made 13-Nov-2014 by nathan 7276
Good info Thomas. Might I add, very simply and for other's sake, that the Trusted CA will be, most likely, an internal CA (from an internal PKI) that has signed a client certificate that has been exported/imported onto your client device. The browser will present this client certificate and say "yes" I trust the CA that signed that so on you go.
1
Comment made 13-Nov-2014 by Muhammad Irfan Khan 591
Thank you for speaking with me today. As we discussed, if you wish to require client authentication, the client computers will need to present a valid cert. As certificates are a way of identifying the client computer, the only way the certificate will be valid is if that certificate is specifically issued for the computer that presents it. So you will not be able to use a single certificate for all clients, each will require its own issued separately by your certificate authority. This is the verdict of F5 support case. Thanks all for the replying. Can all you verify this? Can i used F5 certificate on client browser? I though so but support guy said that you can only use a specific certificate generated on that user machine for the client authentication to work.
0