Client Authentication: Several 'trusted root CA' for one HTTPS VIP ?

Question

Hello,&nbsp;
 &nbsp;
I'm in the process to setup VIP's for client authentication purposes.&nbsp;
My challenge: For a given PFX I need to 'trust' two root CA that are not part of the default CA bundle.&nbsp;
 &nbsp;
I did upload the two root CA in LTM, and created one client ssl profile per root CA.&nbsp;
Both have the same PFX file for certificate and key.&nbsp;
Both are configure to 'require' the client certificate 'once' (frequency).&nbsp;
Each has its own root CA configured in the 'Trusted Certificate Authorities' field.&nbsp;
--&gt; The communication with the back end servers is in clear text, thus I do not need to define a server SSL profile&nbsp;
 &nbsp;
In my mind, it is a valid setup:&nbsp;
The client will start an SSL handshake with the public key of the PFX certificate associated with the VIP&nbsp;
The F5 expects a client certificate signed by one of the two root CA&nbsp;
--&gt; In fact, It is configured like this on our CSS and it works very well.&nbsp;
 &nbsp;
- 1st question:&nbsp;
I did setup an HTTPS VIP listening on port 443.&nbsp;
If I associate one or the other client SSL profile with it, it works fine.&nbsp;
But if I try to associate the two client profiles, F5 does not accept the configuration (same error message in GUI or CLI) and tells me:&nbsp;
0107149e:3: Virtual server /Common/vs_p02_isp3_colt_secure2.ogone.com_82 has more than one clientssl/serverssl profiles that is default for SNI.&nbsp;
 &nbsp;
SNI is not something I want to use, because I do not need to precise the server name. So I am in the opposite situation: none has SNI activated.&nbsp;
I tried anyway to activate the option 'Default SSL Profile for SNI' but no more luck to get the setup accepted.&nbsp;
Is there something I am doing wrong ?&nbsp;
 &nbsp;
2nd question:&nbsp;
I always wondered myself, what is this property 'client-cert-ca' available in CLI that I do not find in the GUI.&nbsp;
After times, I realized that it is related to the GUI field (in a SSL profile) called "Advertised Certificate Authorities" (in client authentication).&nbsp;
But I must admit that such a name does not really ring a bell... Could someone help/explain ?&nbsp;
 &nbsp;
thanks and best regards,&nbsp;
 &nbsp;
--&nbsp;
Benoit&nbsp;
 &nbsp;
 &nbsp;
 &nbsp;
 &nbsp;

kevin_stewart · Answer

1st question: you can create your own bundle file by adding both CA's certificates to a single certificate object in the GUI (choose paste text and paste X509 of both CA certs). Applying this ONE bundle file to a single client SSL profile in the VIP will allow client certificates issued by either of the two CAs to validate. When you add multiple client SSL profiles to a VIP it assumes that you're doing SNI, for which you'd have to configure one (or neither) as the default. 
&nbsp;  
&nbsp; 2nd question: I can't speak to the origin of the property name, but an Advertised Certificate Authorities certificate, or rather bundle of certificates (see above) provides a "root hint" mechanism in the SSL negotiation. During the SSL negotiation with client certificate authentication, the server will say "CertificateRequest" to the client, meaning that it wants a certificate. If you apply an Advertised Certificate Authorities bundle then the server will also send a list of issuers that it will accept from the client. In IE in most browsers this equates to a filtered list of client certificates in the certificate prompt.

benoit_c_ · Answer

Hi Kevin, 
&nbsp;  
&nbsp; thanks for the swift answer. 
&nbsp; I thought to do this but in my mind, it would have implied that one of the two CA takes the precedence (chain) over the 2nd one. 
&nbsp; I'll setup it now. 
&nbsp;  
&nbsp; About 'Advertised Certificate Authorities', I am re insured that it can't be a blocking point for a non working setup. 
&nbsp; But obviously it is a kind of whitelist for CA, I do not need it. 
&nbsp;  
&nbsp; Have a nice day ! 
&nbsp; Regards, 
&nbsp;  
&nbsp; --  
&nbsp; Benoit

Forum Discussion

Client Authentication: Several 'trusted root CA' for one HTTPS VIP ?

2 Replies

Recent Discussions

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Trust your CDN, but not completely

Creating device trust / trust-domain through iControl REST Call(s)

Doing mTLS Authentication per URL

Copy over self IPs from several partitions