SSL Client Auth

Question

I'm having trouble getting SSL Client Authentication to work, I've never done it before.  The customer wants partners to obtain their own SSL certs from whatever authority they choose, then have the root and trust chain installed on the F5.  A GoDaddy Root and Intermediate cert were provided to me.  I wasn't sure how to make multiple certs trusted so I imported them separately with one named bundle and then combined them:&nbsp;
&nbsp; cat /config/ssl/ssl.crt/godaddy-root.crt &gt;&gt; /config/ssl/ssl.crt/godaddy-bundle.crt&nbsp;
&nbsp;Configured the client SSL profile to require client certs with the godaddy-bundle as trusted authority and advertised authority.  As you may guess, it didn't work.  This is new territory for me.  Can someone explain how the client cert is to be trusted and what I did wrong?

josh_abaire · Answer

Did I stump the entire community?  Is what I'm trying to do even possible?

jake_39981 · Answer

Sorry, didn't see this till your recent post.  I did this same thing last year.  Your cat statement doesn't combine the root and intermediary certs.  It only takes the root cert and creates a bundle cert with only the root cert in it.  You need to include both root and intermdiary certs to create the bundle, so it'd look like: 
&nbsp;  
&nbsp; cat /config/ssl/ssl.crt/intermediate.crt /config/ssl/ssl.crt/godaddy-root.crt &gt; /config/ssl/ssl.crt/godaddy-bundle.crt 
&nbsp;  
&nbsp; Set trusted authority back to ca-bundle 
&nbsp; Set advertised authority back to 'none' (this only advertises your list of trusted auths to clients, not necessary and reduces security) 
&nbsp; Set "CHAIN" to your new bundle - this is where your bundle is referenced. 
&nbsp;  
&nbsp; Cheers!

josh_abaire · Answer

Thanks for the reply!   
&nbsp;  
&nbsp; I actually had five different certs bundled.  I was trying to simplify things.  They are all bundled in the same way to the bundle.crt. 
&nbsp;  
&nbsp; I'm assuming where I went wrong is I should set the bundle in Chain.  I had it set in "Trusted Certificate Authorities."  Should I have the same bundle in both?

jake_39981 · Answer

You could set it for both if only those authorities will be connecting to you.  Otherwise, I'd set trusted cert auths to ca-bundle, the default. As long as the chain is set to your bundle, it should work for you.  Let me know how it goes.

josh_abaire · Answer

Everything is working now.  Thanks. 
&nbsp;  
&nbsp; Does anyone happen to know if encryption can be handled at the F5, while passing client certificate information to the server for authorization?  The customer has an application that utilizes complicated authentication and authorization at the server.  SSL terminates at the server currently but they want some iRules that will dig into the http header, so need the encryption terminated at the F5.  Is is possible to pass client cert or x509 info, or something like that to allow the client auth to happen at the server?

Forum Discussion

SSL Client Auth

6 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

SSL 3.0.7 - Unsafe legacy renegotiation disabled on client side

DoD CAC Auth with LTM

SSL Profiles

Enhance your Application Security using Client-side signals

SSL Orchestrator Advanced Use Cases: DNS Sinkholing