Switch off Trusted CA Check for Client Cert Authentication

Question

We have BigIp breaking SSL and redirecting the requests to a backend server. We want to support client cert authentication, but the Trusted CA check should not be done on the BigIp but on the backend system. The certificate chain of the client certificate and the client certificate is sent as HTTP header to the backend server.&nbsp;
 &nbsp;
Is there a way to switch off this feature and just terminate the ssl and check whenever the ssl peer is in possesion of the private key and leave the certificate trust logic to the backend?&nbsp;
 &nbsp;
If I put none as trusted CA list then SSL handshake fails with ca not trusted alert.&nbsp;
 &nbsp;
Best Regards,&nbsp;
Aleksandar&nbsp;

nitass · Answer

is proxy ssl feature applicable? 
&nbsp;  
&nbsp; sol13385: Overview of Proxy SSL feature  
&nbsp; http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385

sencko_83194 · Answer

Unfortunately there is no SSL support on the backend :-(

hooleylist · Answer

Can you change the cert mode to request on the client SSL profile? 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Switch off Trusted CA Check for Client Cert Authentication

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

google-visualization-issues

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Trust your CDN, but not completely

Creating device trust / trust-domain through iControl REST Call(s)

Doing mTLS Authentication per URL

Zero Trust building blocks - Machine Identity Management (MIM) and Workload Protection