Client Authentication: Several 'trusted root CA' for one HTTPS VIP ?
Hello,
I'm in the process to setup VIP's for client authentication purposes.
My challenge: For a given PFX I need to 'trust' two root CA that are not part of the default CA bundle.
I did upload the two root CA in LTM, and created one client ssl profile per root CA.
Both have the same PFX file for certificate and key.
Both are configure to 'require' the client certificate 'once' (frequency).
Each has its own root CA configured in the 'Trusted Certificate Authorities' field.
--> The communication with the back end servers is in clear text, thus I do not need to define a server SSL profile
In my mind, it is a valid setup:
The client will start an SSL handshake with the public key of the PFX certificate associated with the VIP
The F5 expects a client certificate signed by one of the two root CA
--> In fact, It is configured like this on our CSS and it works very well.
- 1st question:
I did setup an HTTPS VIP listening on port 443.
If I associate one or the other client SSL profile with it, it works fine.
But if I try to associate the two client profiles, F5 does not accept the configuration (same error message in GUI or CLI) and tells me:
0107149e:3: Virtual server /Common/vs_p02_isp3_colt_secure2.ogone.com_82 has more than one clientssl/serverssl profiles that is default for SNI.
SNI is not something I want to use, because I do not need to precise the server name. So I am in the opposite situation: none has SNI activated.
I tried anyway to activate the option 'Default SSL Profile for SNI' but no more luck to get the setup accepted.
Is there something I am doing wrong ?
2nd question:
I always wondered myself, what is this property 'client-cert-ca' available in CLI that I do not find in the GUI.
After times, I realized that it is related to the GUI field (in a SSL profile) called "Advertised Certificate Authorities" (in client authentication).
But I must admit that such a name does not really ring a bell... Could someone help/explain ?
thanks and best regards,
--
Benoit