I am trying to configure "client certificate constrained delegation" new in 13.1.x.x. This is used for 2 way SSL authentication. I am trying to add a subordinate CA certificate and key to the serverssl profile but continue to get the error "client certificate constrained delegation key is missing."
Has anyone worked with this new feature as yet or may know what is causing this error?
I am also having this issue. Did you ever figure out how to make it work?
Here's what you do:
Client SSL Profile
Server SSL profile
The certificate that you insert into the server SSL profile is used as a template for the forged client cert. The private key is used to generate the CSR for the forged client cert.
Also, under normal conditions, the F5 and backend server attempt to resume existing SSL sessions, whereby the server doesn’t send a Certificate Request message. The effect is that all connections to the backend server use the same forged client cert.
There are two ways to get around this:
Thanks for the info about client certificate / key..
Does it mean all client certificates share same private key?
Yes, but four things to keep in mind:
The fingerprints are all unique between the certificates, so they’re not interchangeable.
The certificates are in-memory ephemeral and never cached.
This method allows you to store the private key in an HSM for additional (albeit arguably unnecessary security).
Generating private keys on-the-fly is an extremely CPU-intensive process, so literally any product that does some form of certificate forgery will do it this way.
Maybe I am overthinking this, but I am just not clear on exactly where I would obtain the CA cert and key to use for forging.
Let's say the server cert was obtained by entrust CA 1. Do I just need a copy of the entrust CA 1 cert and key as well as the actual server cert and key that entrust issued?
Appreciate any guidance on that. Again, maybe I am overthinking here but everything I have read has glossed over that section in my opinion.
Client Certificate Constrained Delegation uses a local CA certificate and key to forge the new client certificate, so the internal servers must trust this local CA.
Ahh. So I use a self-signed CA on the F5 and then export that to the server admins. Thanks!
Yes, but it doesn't have to be self-signed. Many organizations already have a PKI environment as a function of the AD, so you could simply have the AD issue you a subordinate CA that the servers would already trust.
Excellent idea. I will talk to my AD admins about that. Thanks again!
There is a weird requirement when configuring C3D!!!
You must configure a client certificate and key AND certificate authority certificate and key