Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Client Certificate Constrained Delegation

I am trying to configure "client certificate constrained delegation" new in 13.1.x.x. This is used for 2 way SSL authentication. I am trying to add a subordinate CA certificate and key to the serverssl profile but continue to get the error "client certificate constrained delegation key is missing."

Has anyone worked with this new feature as yet or may know what is causing this error?

Thanks.

0
Rate this Question
Comments on this Question
Comment made 2 months ago by Mike Maher 410

I am also having this issue. Did you ever figure out how to make it work?

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Here's what you do:

Prerequisites

  • Create a CA bundle - this is used to validate the client certificate
  • Import server cert and key - this is the typical reverse proxy server certificate
  • Import CA cert and key - this is the CA that forges the client certificate

Client SSL Profile

  • Configuration section
    • Import server cert and key (and optionally a CA chain)
  • Client Authentication section
    • Client Authentication: request or require
    • Trusted Certificate Authorities: attach the CA bundle
    • Advertised Certificate Authorities: optionally attach a CA bundle
  • Client Certificate Constrained Delegation section
    • Client Certificate Constrained Delegation: enabled
    • OCSP: optional
    • Unknown OCSP response control: optional

Server SSL profile

  • Configuration section
    • Certificate: required (can be default)
    • Key: required (can be default)
    • Chain: required if signing with a subordinate CA
  • Client Certificate Constrained Delegation section
    • Client Certificate Constrained Delegation: enabled
    • CA certificate: signing CA cert
    • CA key: signing CA key
    • CA passphrase: optional
    • Certificate lifespan: set preferred time (certs are not cached)
    • Certificate extensions: set extensions to copy from original cert
    • Custom extension: optional (any client cert OIDs to copy)

The certificate that you insert into the server SSL profile is used as a template for the forged client cert. The private key is used to generate the CSR for the forged client cert.

1
Comments on this Answer
Comment made 2 months ago by Kevin Stewart

Also, under normal conditions, the F5 and backend server attempt to resume existing SSL sessions, whereby the server doesn’t send a Certificate Request message. The effect is that all connections to the backend server use the same forged client cert.

There are two ways to get around this:

  • Set a zero-length cache in the server SSL profile
  • Set server authentication frequency to ‘always’ in the server SSL profile
0
Comment made 2 months ago by Stanislas Piron 9954

Thanks for the info about client certificate / key..

Does it mean all client certificates share same private key?

0
Comment made 2 months ago by Kevin Stewart

Yes, but four things to keep in mind:

  1. The fingerprints are all unique between the certificates, so they’re not interchangeable.

  2. The certificates are in-memory ephemeral and never cached.

  3. This method allows you to store the private key in an HSM for additional (albeit arguably unnecessary security).

  4. Generating private keys on-the-fly is an extremely CPU-intensive process, so literally any product that does some form of certificate forgery will do it this way.

0
Comment made 1 month ago by Mike P. 236

Maybe I am overthinking this, but I am just not clear on exactly where I would obtain the CA cert and key to use for forging.

Let's say the server cert was obtained by entrust CA 1. Do I just need a copy of the entrust CA 1 cert and key as well as the actual server cert and key that entrust issued?

Appreciate any guidance on that. Again, maybe I am overthinking here but everything I have read has glossed over that section in my opinion.

0
Comment made 1 month ago by Kevin Stewart

Client Certificate Constrained Delegation uses a local CA certificate and key to forge the new client certificate, so the internal servers must trust this local CA.

1
Comment made 1 month ago by Mike P. 236

Ahh. So I use a self-signed CA on the F5 and then export that to the server admins. Thanks!

0
Comment made 1 month ago by Kevin Stewart

Yes, but it doesn't have to be self-signed. Many organizations already have a PKI environment as a function of the AD, so you could simply have the AD issue you a subordinate CA that the servers would already trust.

1
Comment made 1 month ago by Mike P. 236

Excellent idea. I will talk to my AD admins about that. Thanks again!

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

There is a weird requirement when configuring C3D!!!

You must configure a client certificate and key AND certificate authority certificate and key

0