NimbostratusHI i´m having problem with a public key certificate in my client SSLprofile. do i need to import the root CA in the client profile for it to work? if i do that does everybody who has that root CA be able to communicate with me?
I only want the Company who i have the public key to be able to access us.
regards
sebastian
NimbostratusHello Sebastian,
On your Client SSL Profile you can use the Intermediate CA if there is one to reduce the field. And then filter your company's client certificate with an iRule based on a common information on those.
NimbostratusNimbostratusYou can follow this article :
https://devcentral.f5.com/wiki/iRules.ClientCertificateCNChecking.ashx
In my case, i'm checking the certificate serial :
when RULE_INIT {
set static::debug 1
}
when CLIENTSSL_CLIENTCERT {
set cert [SSL::cert 0]
set sn [X509::serial_number $cert]
set subject [X509::subject $cert]
set issuer [X509::issuer $cert]
set version [X509::version $cert]
}
when HTTP_REQUEST {
if { ([matchclass $sn contains CLIENT_CERTS])} {
Accept the client cert
log local0. "Client Certificate Accepted: $sn"
} else {
log local0. "No Matching Client Certificate Was Found Using: $sn"
reject
}
}
Depending of what you want to check we can adjust the client certificate field to verify