Cant set advertised cert authorities

Question

I have a rule which decides whether to request a cert depending on the URL requested.
&nbsp;The client Authentication section of the Client SSL profile is set to "Ignore" and the iRule contains:&nbsp;
&nbsp;        if {($need_cert == 1) &amp;&amp; ($have_cert == 0)} {
&nbsp;            HTTP::collect
&nbsp;            log local0. "Cert required, sent renegotiate"
&nbsp;            SSL::cert mode require
&nbsp;            SSL::renegotiate&nbsp;
&nbsp;This works OK but I now want to set the "Advertised Certificate Authorities" to only prompt the client for certs generated from a specific authority. The GUI doesnt let me set this unless I change the Client Certificate field to "Auto". I then get prompted for a client cert for every connection. I tried setting SSL::cert mode ignore in the CLIENT_ACCEPTED event but the command isnt valid here. Is there a way round this?

unruley_95363 · Answer

You should be able to set that from the CLI even though the cert mode is ignore. The only downside is to be careful not to use the GUI to view that profile as it will reset it. We do have a CR addressing a very similary problem on a different post (you couldn't specify the CRL file if the cert mode was set to ignore). You could always call support and request a hotfix (this will potentially raise the priority on getting it fixed sooner rather than later).

ashbeyk_127079 · Answer

So I should be able to set the Cert Authorities? What would the command be? - I dont see an SSL:: option

unruley_95363 · Answer

We don't have an iRule command that changes any of the parameters that are derived from files (eg: key, cert, chain, CA, CRL, or client cert CA files).

unruley_95363 · Answer

Whoops, I just realized you probably want to specify:[root@hsibj1:Active] config  bigpipe profile clientssl  client cert ca

hooleylist · Answer

This would be great to fix in the GUI... 
&nbsp;  
&nbsp; In the meantime, another user posted a solution which I've described in this post which does not break when the client SSL profile is viewed in the GUI: 
&nbsp;  
&nbsp; how to specify a ca_bundle in an irule  
&nbsp; http://devcentral.f5.com/Default.aspx?tabid=53&amp;forumid=5&amp;postid=790956&amp;view=topic 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Cant set advertised cert authorities

5 Replies

Recent Discussions

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

Help with URL Masking

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

JWT authorization with NGINX Ingress Controller

Cipher suite mismatch advertisement/warning

BGP stops advertising after upgrade

iRule - Authorization Bearer / Basic

OWASP Tactical Access Defense Series: Broken Object Property Level Authorization and BIG-IP APM