Forum Discussion

Nuruddin_Ahmed_'s avatar
Nuruddin_Ahmed_
Icon for Cirrostratus rankCirrostratus
Dec 25, 2016

Client Certificate Verification

Hi,

 

I have created a client side ssl profile for client certificate authentication. in the ssl profile, we can just imported the root certificate. I have few questions -

 

  1. Since we have imported only the root certificate, this would allow all clients to authenticate who has client certificate issued by this root CA. However, we want connections to be allowed from specific certificate issued by this root CA. how can we do it?

     

  2. When F5 validates the client certificate, what actually it validates?

     

3 Replies

  • See this for questions on what is being validated.

     

    Root CA's cert must exist in F5 for proper validation.

     

  • AndOs's avatar
    AndOs
    Icon for Cirrostratus rankCirrostratus

    To allow only specific certificates you can use an iRule.

     

    There are a few examples in the code share.

     

    Validate Certificate Common Name and Revocation Status

     

    Request Client Certificate And Pass To Application

     

    Client Certificate CN Checking

     

     

    Here is a version of an iRule I've used in the past.

     

    Looking at the code now I see that there's room for improvements here and there 🙂 But hopefully this, or any of the examples above can get you started.

     

     

     Derived from http://devcentral.f5.com/wiki/default.aspx/iRules/ClientCertificateCNChecking.html
    
    when RULE_INIT {
        set static::certinspect_debug 0
    
        log local0. "iRule updated or initialized. debug = $static::certinspect_debug"
    }
    
    when CLIENTSSL_CLIENTCERT {
    
        init allowed/disallowed flag
        default to not trusted.
       set client_cert_ok 0
    
        Check if client provided a cert
       if {[SSL::cert 0] eq ""} {
            if { $static::certinspect_debug } { log local0. "No client cert sent from client. Client='[IP::client_addr]:[TCP::client_port]'" }
    
             Reset the connection
            reject
    
       } else {
    
          if { $static::certinspect_debug } { log local1. "SSL SessionID='[SSL::sessionid]' | Client='[IP::client_addr]:[TCP::client_port]'" }
    
    
           Get the subject DN from cert.
          set subject_dn [X509::subject [SSL::cert 0]]
    
           Check trusted certs.
          switch -glob [string tolower $subject_dn] {
              "serialnumber=xyz,cn=name.domain.com,o=org,c=se" { 
                         Client cert is trusted. Set flag. Need to be set to 1 for logic in HTTP_REQUEST to work.
                        set client_cert_ok 1                
    
                       if { $static::certinspect_debug } { log local1. "Matching client cert: $subject_dn | Client='[IP::client_addr]'" }
                }
              default {
                  log local0. "NO MATCHING CLIENT CERTIFICATE!: $subject_dn | Client='[IP::client_addr]:[TCP::client_port]'"
    
                  reject 
              }
          }
       }
    }
    
    when HTTP_REQUEST { 
    
         Client sent an HTTP request.
    
        if { $static::certinspect_debug } { log local1. "URI='[HTTP::uri]' | SSL SessionID='[SSL::sessionid]' | Client='[IP::client_addr]:[TCP::client_port]'" }
    
         check if the client cert for this connection was trusted.
         if it was not, send an error message to the client.
        if { ( [info exists client_cert_ok ] && $client_cert_ok == 1 ) } {
             request accepted
        } else {
                    if { $static::certinspect_debug } { log local1. "Sending deny to client | URI='[HTTP::uri]' | SSL SessionID='[SSL::sessionid]' | Client='[IP::client_addr]:[TCP::client_port]'" }    
            HTTP::respond 403 content "Bad client certificate!"
        }    
    }
    
    

    /Andreas

     

  • Just adding above irule will not work. you need to enable Authentication setting in Client SSL profile(Irule+Client Auth).

     

    Enable below setting in profile.

     

    Go to SSL profile “abc_SSL_clientssl” Configuration --> Advanced Client Authentication --> enable Checkbox Client Certificate --> Request Frequency --> Always Advertised Certificate Authorities --> Select “Certificate which you have used in profile” from Drop down list. Click on update. Attached SSL profile to VIP