AltostratusWhat is the purpose of "Chain" in the Certificate+Key+Chain client ssl profile? What happens when "None" is selected? When it should be used or not used?
Additionally what is "Trusted Certificate Authorities" in Client Authentication
I have private root certificate which I have added to ca-bundle using the iapp. Should I select ca-bundle for both the "chain" and Trusted Certificate Authorities?
CumulonimbusHello,
In order for an SSL certificate to be trusted, that certificate must have been issued by a CA. You have to set this CA (chain/root) in your ssl client profile.
If you don't set this chain, and we will suppose that you want to access to your service from outside, you will probably have an error (SSL Warning) unless this chain/root is included in the trusted store of the device that is connecting (IE browser).
So in order to avoid that user have an SSL warning you have to set this chain.
If the certificate was not issued by a trusted CA (self signed create on F5), the connecting device (eg. a web browser) will usually display an error.
The "Client Authentication" will allow you to authenticate user using his "Client authentication certificate". This certificate is installed and host in keystore (you can see these certificate in IE).
So in order to authenticate user, the user presents a certificate in the TLS handshake. This certificate is signed by a CA.
So when the user attempt to connect we will validate his client aut cert with the CA who signed it. And you have to set this CA in ""Trusted Certificate Authorities"
Please check this article it is complete and explain all you needs about cert client auth:
https://devcentral.f5.com/articles/ssl-profiles-part-8-client-authentication
Regards