Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Client Certificate Authentication

I have attempted to get the APM Client Certificate Authentication as well as the iRule Based Client Certificate Authentication to function how I believe it should.

Everything works on the authentication aspect from a Client perspective however I have one issue.

When I go to a site I have configured an APM or iRule configured client certificate based authentication I get a pop up asking the user to select one of the certificates that is on the users machine. Of course it works when I select the proper certificate.

Is there any way to not ask the user for a cert or eliminate this action entirely? Passively determine what certificate is on the user machine? I have tried this in both Chrome and IE and I get the same result.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Nicolas is right, if you set correctly your ssl client profile.

In particular "Advertised Certificate Authorities" you must not have this behavior. unless you have several certificates signed by the same CA on clientside...

If you have only one cert installed on client side and you set "Advertised Certificate Authorities" with right CA it will be transparent for IE and Chrome (but I noticed that safari asked to select the certificate despite the fact that there was only one)...

Regards

0
Comments on this Answer
Comment made 2 months ago by DenverRB 66

Awesome input guys, I will take a look at the Client Side Policies behavior on Browsers. In my testing the only browser I can get a pop up to not display by a config change within the F5 is Internet Explorer and the browser is just bad.

This makes it difficult with a number of different technologies using different browsers attempting to access the same Virtual IP with Client Certificate Based Authentication.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

In my point of view this issue can be solved only on client-side. Most browsers support automatic certificate submission via policy or extension in order to remove the certifcate prompts.

For Chrome you can find more information regarding policy management here: https://support.google.com/chrome/a/answer/187202

0