Forum Discussion

Aashutosh_Mahaj's avatar
Aashutosh_Mahaj
Icon for Nimbostratus rankNimbostratus
Jun 29, 2020

CLIENT CERT INSPECTION ROLE

what does client cert inspection box does exactly?

 

can someone please explain me step by step ?

 

I have done my research and below is my undersntanding - please validate and answer queries

 

In client ssl profile > client authentication > we have selected request by keeping the same root certificate under Trusted and Advertised certificate authorities.

 

what is the importance of Trusted Certificate Authorities ?

what is the importance of Advertised Certificate Authorities ?

 

Now I am assuming due to this setting F5 is requesting for the user certificate from a laptop when latop tries to connect BIG IP Edge client (VIP)

in return laptop is providing F5 with a user certificate which is being checked by CLIENT CERT INSPECTION?

 

what certificate and what part of that certificate is being validated by CLIENT CERT INSPECTION? how?

 

this check is executing successfully for us - but I really want to know what makes it successfull - to understand the need for this check..

 

by the logging box with session variable Client Cert = sessoin.ssl* > we are reading many details of the user certificate from the laptop.

 

but as per the link https://support.f5.com/csp/article/K81201333,

 

log entry 'Jun 29 09:25:33 lb-abc notice apmd[15315]: 01490113:5: /xyz/pqr:lmno:7678db50: session.ssl.cert.valid is 0'

 

certificate validity, signature, issuer etc all ok? against what it is being validated?

 

pardon me, i am new to all certificate stuff and apm as well :(

 

 

4 Replies

  • Aashutosh,

     

    > what is the importance of Trusted Certificate Authorities ?

    > what is the importance of Advertised Certificate Authorities ?

     

    Instead of me writing out whats already available in the GUI, go to your clientssl profile and open it so you can see its configuration options. Now under the F5 logo at the top left where is says Main. Select Help next to it. Then scroll down. If it's easier, use the Launch button to popout a seperate window. In there you will find detailed explanations for each setting. This is basically the product manual built into the F5 device.

     

    > what certificate and what part of that certificate is being validated by CLIENT CERT INSPECTION? how?

     

    All certificates are issued by a CA or certificate authority. Essentially in the SSL profile under client authentication you specify what CA. You do this by providing the actual CA certificate. The F5 will prompt for a client certificate, when the client provides this it will check it was issued by that CA.

     

    Now if you set the authentication to require in the authentication section of the SSL profile it will not allow the connection to be established if the certificate does not match. This is not ideal when you later want to make a decision in the APM policy. So usually when using APM you would set this to request. Then when the APM policy starts you can decide what you want to do with the Client cert inspection in your policy.

     

    This object simply reflects the outcome of the client certificate check way back when the connection was started and SSL was being negotiated. This allows you to make decisions on whether they can proceed, or not. There may be a type of client that does not support client certificate auth. So you can make that decision prior to client cert inspection and only use this for client types that support it.

     

    • Aashutosh_Mahaj's avatar
      Aashutosh_Mahaj
      Icon for Nimbostratus rankNimbostratus

      "This object simply reflects the outcome of the client certificate check way back when the connection was started and SSL was being negotiated. " >> so what happens if the user certificate is validated by root successfully but if its expired?

       

      as per this link https://support.f5.com/csp/article/K81201333, log 'session.ssl.cert.valid is 0' means everything else (all codes other than 0 in link) on the cert is ok

       

  • That’s what the CRL or certificate revocation list is for. See the help below the other settings I mentioned earlier.