Client SSL Authentication

As long as all the certificates are signed by the same CA (and you have the CA certificate) you should be OK;

 

 

1) Install the relevant CA certificate on the device

 

2) Configure a ClientSSL certificate with setting Client Certificate: require

 

3) Select the certificate in Trusted Certificate Authorities

 

4) Apply to the VS

 

5) Test a lot!

Client certificate authentication can be broken into two primary categories: revocation and validation.

 

 

Revocation is the process of determining if a certificate has been revoked by its issuer and involves processes like OCSP, CRLDP, and direct CRL lookup.OCSP and CRLDP are available in the Access Policy Manager module, and direct CRL lookup is available in the client SSL profile. Revocation is not explicitly required for client certificate authentication.

 

 

Validation on the other hand is the process of checking the client certificate for correct attributes. At the very least it's concerned with a) validity dates - that the certificate is not being used before or after a certain range of dates, and b) trust. Based on the notion that PKI (public key infrastructure) is a "three-party" system where two of the parties who trust a common authority, by transition will trust each other, certificate trust establishment is the cryptographic mechanism that an entity will use to establish a trusting "link" to that common authority. So for example, imagine a server (www.example.com) is issued a certificate by a subordinate certificate authority (ca-sub1.example.com), which was issued its certificate by the root certificate authority (ca.example.com).

 

 

www.example.com <-> ca-sub1.exmaple.com <-> ca.example.com

 

 

In this example you've established a chain of trust from the server certificate all the way to the (self-signed) root certificate by way of cryptographic signatures in each parent-child relationship. Now suppose a client is issued a certificate from another subordinate authority (ca-sub2.example.com) which was also issued its certificate from the same root CA (ca.example.com). When the client presents its certificate to the server, the server must build a chain from the client's certificate to the common root in order to establish "trust". On the BIG-IP, this is done using a bundle file that is assigned to the Trusted Certificate Authorities option in the client SSL profile. A bundle is a simple text file that contains the base64 PEM-encoded certificates of ALL of the possible client certificate issuers up to and including the self-signed root. The bundle would look something like this:

 

 

-----BEGIN CERTIFICATE-----

 

MIIDejCCAmKgAwIBAgIBBTANBgkqhkiG9w0BAQUFADBgMQswCQYDVQQGEwJVUzEY

 

...

 

-----END CERTIFICATE-----

 

-----BEGIN CERTIFICATE-----

 

MIIFxzCCBK+gAwIBAgICALEwDQYJKoZIhvcNAQEFBQAwYDELMAkGA1UEBhMCVVMx

 

...

 

-----END CERTIFICATE-----

 

...

 

 

So in the above example, the bundle should contain, at a minimum, ca.example.com and ca-sub2.example.com. If you've ever looked at the certificate store in your browser, the bundle file is the client certificate equivalent of that - an explicit list of certificates to trust. So in summary, in the client SSL profile, set Client Certificate to request or require and then select your CA bundle in the Trusted Certificate Authorities drop down. One other really cool feature of the BIG-IP client SSL profile, and something that many web servers can't do on their own is the notion of "root hints". If you apply a bundle file to the Advertised Certificate Authorities drop down, when the BIG-IP, as part of the SSL negotiation, requests the client's certificate, it will include a list (this list) of acceptable issuers. If you're in an organization that issues different certificates for different things from different issuers, and a user may have two or more of these certificates, this is a great way to selectively eliminate certificates from the list that the browser presents.

 

 

Is it possible to authenticate to a specific certificate such as clientA.example.com and clientB.example.com or will anything signed by *.example.com be sucessfully authenticated. Maybe an iRule...

 

if client certificate is in client_auth_dataGroup

 

then permit

 

else

 

discard

 

Validation and authentication are still two different things. You've successfully validated a certificate by way of checking (at a minimum) validity dates and trust. To authenticate, or rather "assert" the identity of a user via their certificate, there are a number of ways to approach this. The easiest is probably with X509. Inside a certificate is a bundle of (text) data called X509 (or at least information arranged by the X509 standard). At a minimum there are values for subject, issuer, validity dates, and serial number. But there can also be Subject Alternative Names (email addresses, UPNs, etc.), certificate policies (what kind of cert it is - software certificate, smartcard, etc.), key usage, OCSP/CRLDP revocation URLs, and many more. These X509 values are all accessible via iRules using the X509:: commands (https://devcentral.f5.com/wiki/iRules.X509.ashx). So to get the certificate subject:

[X509::subject [SSL::cert 0]]

You can then very easily create a data group of acceptable certificate subjects and use a quick iRule in the CLIENTSSL_CLIENTCERT event to allow or block specific users/certs:

when CLIENTSSL_CLIENTCERT {
   if { [SSL::cert count] > 0 } {
      if { not { [class match [X509::subject [SSL::cert 0]] equals cert_data_group] ) } {
          client certificate (subject) not in the data group - log and drop
         log local0. "User presented a certificate ([X509::subject [SSL::cert 0]]) that is not in the data group - rejecting"
         reject
      }
}

The above is a whitelist example. You can also use other values in the certificate, as mentioned earlier.

hi, Is there a way using iRULE to create a "whitelist" based on source IP to disable the client cert authentication? if so, can someone share their iRULE?

 

thanks.

 

The easiest thing would probably be to create two client SSL profiles: one with client authentication and one without, then create an address-based data group that contains your whitelist IPs/IP subnets. Here's what the iRule might look like:

when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals my_ip_dg] } {
        SSL:profile noauth_clientssl
    } else {
        SSL::profile auth_clientssl
    }
}

where "my_ip_dg" is the name of the arbitrarily-named address-based data group, and "noauth_clientssl" and "auth_clientssl" are the names of the client SSL profiles - no auth and auth respectively.

Hi, my setup is like below.

 

Client_A , Client_B, Client_C client A & B are using self signed certificates so are different different certificates and Client using standard CA signed Certificate and which will have chain of certificates.

 

so all three certificate are different.

 

I have configured one virtual server (via iAPP) for SSL port 8002 to balance the traffic for all three client A,B,C.

 

back end servers (pool members) are also re-encrypting.

 

Now my queries is how to make single CA bundle for all three Certificates. and how client authentication done from single file for example if client B comes and how if client C comes which have chain of certificate.

 

Appreciate help.

 

Regards, Neeraj Jagetia

 

Now my queries is how to make single CA bundle for all three Certificates.

 

have you tried to combine (concatenation) all ca and chain certificates to one file and set it as trusted certificate authorities?

 

The link below will walk you through the steps to create a custom cabundle for the roots you want to trust.

 

http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13302.html

 

Hi Kevin / Nitas / Chris,

 

I got certificate from Client (Bank) which is self signed by openssl from Client LAPTOP. then how can have find root CA to select or how can I find CA as it was self signed.

 

when I enable ' Client Certificate' > to ignore it works but when I enable ' Client Certificate' to require, it does not work

 

my Worry is what to select in field ' Trusted Certificate Authorities' > bank provided certificate or F5 default available 'ca-bundle' or 'default' or 'f5-irule' ?

 

Regards, Neeraj Jagetia