Forum Discussion
39 Replies
- natheCirrocumulus
BTW request is as good as none really (unless you're doing certificate checks in an iRule)
Do you get any logs in the LTM log to give you any clues?
I'd try the following Sols from f5:
Troubleshooting Client Certificate Authentication
In a nutshell have you got the "Trusted Certificate Authorities" section in the SSL profile set? If it's a self signed cert it may not reference a CA so you might just need to reference the certificate itself here.
Also, presumably you have a client CA in the Personal folder? Do you get prompted to choose a certificate to use for authentication?
Rgds N
- Spidey_29396Nimbostratus
Hi nathan,
I don't get any logs from f5 related to the certificates, also i used same certificate to the "Trusted Certificates Authorities". i always get ssl error on the web page if it is require.
Thanks! Ferdz
- natheCirrocumulus
do you get a prompt to select a certificate at all on the client? does the client have the certificate installed into their certificate store? which browser are you using? Does it make any difference between IE or Firefox, for example? I'd look to enable debugging then or perhaps try a tcpdump/ssldump to see if this gives you anymore clues.
- Spidey_29396Nimbostratus
I had already installed the certificate in both browsers, IE and Firefox, on my IE, page cannot be displayed is the result, on firefox, unauthorized certificate and when i click continue, it says ssl error, can you give me the steps in creating self signed certificate, and client ssl profile configuration?
- Spidey_29396Nimbostratus
I had already installed the certificate in both browsers, IE and Firefox, on my IE, page cannot be displayed is the result, on firefox, unauthorized certificate and when i click continue, it says ssl error, can you give me the steps in creating self signed certificate, and client ssl profile configuration?
- Kevin_StewartEmployee
Think of it this way. When a server presents its certificate to a browser during an SSL handshake, the client must be able to validate that certificate. Validation involves date and integrity checking, and a trust "chain" establishment. That chain is a path from the server certificate to a self-signed root CA certificate, and is made possible by virtue of an EXPLICIT trust of the CA certificates, and that explicit trust is based on CA certificates that are installed in the client's trust store. If you set client cert auth on the F5 to ignore, and you can get to the web page with or without a certificate warning in the browser, then you're probably okay on the client side.
When the client sends its certificate to a server, as part of a mutually authenticated SSL handshake, the server (F5 VIP) must perform the same validation checks that the client had to do for the server cert. It includes date and integrity checking, and an explicit trust chain establishment by virtue of the CA certificates stored in the Trusted Certificate Authorities cert/bundle. The Trusted Certificate Authorities cert/bundle is only used for client cert auth.
I don't think you specified where you were using the self-signed cert, but if it was on the server side (cert and key inside the client SSL profile) then it shouldn't matter as the issuer of a server cert doesn't have to be (and usually isn't) the same as the client cert. What matters here is that the client SSL profile can validate the certificate presented by the client.
- natheCirrocumulus
Just a thought - has your client certificate in IE got an associated Private Key? I'm sure I'll be informed otherwise but the cert will need this. The cert won't be offered as a client cert to use if not.
- Spidey_29396Nimbostratus
Hi nathan/kevin
Thank you.I am using client ssl.i converted the .crt and .key i generated to .pfx and load it to my browser but still doesn't work.
- natheCirrocumulusmight be best to upload the config of your client ssl profile (anonymized where appropriate) but also confirm whether it prompts you to select your local client certificate? you've not made it clear if this bit works or not? i presume it doesn't. if it doesn't then check the IE certificate store that you can see the client cert under Personal folder and the private key is definitely in there. Thanks N
- Spidey_29396Nimbostratus
Hi Nathan,
I will share to you the config by Monday since i've already leaved the office.
Thanks! Ferdz
- Spidey_29396Nimbostratus
Hi Nathan/Kevin,
attached here is my configuration of client ssl profile.
Thanks! Ferdz