Forum Discussion
Nimbostratus2 Way SSL implementation
Hi,
I have a requirement to implement 2 way ssl. I do not have much idea on this. Can anyone please help me or guide me as in what all things I need to consider and how to implement this.
I am using LTM 8900 version 10.2.
14 Replies
- Kevin_Stewart
Employee
Two-way, or "mutually authenticated" SSL generally means using server AND client certificates. Your client SSL profile has two sections:
-
For regular server SSL, you apply an server certificate and private key at top of the configuration. This is the certificate that the server sends to the client during the SSL handshake.
-
For client certificate authentication, there's a section near the bottom called "Client Authentication". There are at two settings that are important here:
- Client Certificate: set this to request or require
- Trusted Certificate Authorities: this is a single CA certificate or bundle (text) file of all of the CA certificates that may be needed to validate a complete trust path with the client's certificate. In v10 I think this option is near the top of the page, but it should actually be in the Client Authentication section.
With these 4 things applied (server cert, server key, client certificate set to request/require, and a trusted certificate authority certificate/bundle), you should be able to perform two-way SSL. The client initiates the SSL handshake, the server sends its certificate for the client to validate, the server requests the client's certificate, and the client passes its cert to the server for it to validate. What you do with the client cert after that is perhaps a different topic.
-
- Kevin_Stewart
You can do certificate revocation checking, but it's not expressly required. The bare minimum for client cert auth is that you have the CA certificate/bundle file that the LB will need to validate its trusts in the client cert.
Gicu_337843Please help me with step by step how to configure 2 way ssl autenthication for my virtual server. Only 2 way ssl autenthication - not more. I have web site certificate and chain certificate only. Thank you.
- Kevin_Stewart
Sure.
- Install the chain (subordinate CA) certificate
- Install the web server certificate and private key
-
Create the client SSL profile
- Certificate Key Chain: web server cert and private key. You can optionally include the chain cert if you want the F5 to pass this CA cert to the client during the TLS handshake, to help the client do validation in case the client doesn't have this CA cert. This only works for subordinate CA certs.
- Client Authentication - Client Certificate: request or require. The difference is that request makes the request but fails open if validation fails. Require fails closed.
- Client Authentication - Trusted Certificate Authorities: select the chain cert. This subordinate CA is used to validate/trust the client's certificate
- Bind the client SSL profile to a virtual server
This is the absolute simplest and minimal requirements for 2-way (mutual) TLS authentication.
- Gicu_337843
I think you didn't understand me. I have a virtual server ex. 10.0.0.10. I have 2 sites on it. I configure one way ssl for my VS:created sslclient profile, added certificate, key, chain and bind it to my VS. Now I want to configure 2 way ssl for this VS, when we need the public certificate only. customer sent me a certificate and chain certificate - 2 files only. (we need only client authentication with certificate, where it is not required the Key, because we need to trust only the public certificate that client send to us the key (private key) remains always to the certificate owner, never exchange them) What Must I do with those certificates, how to configure them, web site certificate and chain certificate
- Kevin_Stewart
I believe I understood you.
You're correct, that the client possesses a public certificate and private key, and the private key is never exposed. 2-way (client certificate) authentication involves 3 additional messages in the TLS handshake:
- The server says, "Certificate Request"
- The client responds with , "Certificate",which contains the certificate and public key)
- The client follows that with, "Certificate Verify", which is digitally signed hash (a hash encrypted with the client's private key).
The server uses the client's public key to validate the hash, thus authenticating the user. Server authentication always happens, and is a basic function of the TLS handshake. To configure 2-way TLS on a BIG-IP, you simply need the following:
- A standard client SSL profile with the server cert and key
- Client Authentication in that client SSL profile set to 'request' or 'require'
- Trusted Certificate Authorities in that client SSL profile set to the issuer (i.e. chain) CA of the client's cert. This certificate, or certificate bundle, is used to validate/trust the client's certificate and is absolutely required.
The tricky part is going to be doing 1-way and 2-way TLS on the same VIP. Normally you can apply multiple client SSL profiles with different certs and Server Name (SNI) values, but those profiles can't have different client authentication settings. It'd be far easier to separate this into separate VIPs, each with a different client SSL profile. Otherwise, if you're making the SSL auth decision based on the source address, you can switch the client SSL profiles in an iRule. If you have to make the decision based on the hostname, it gets more complicated.
RaghavendraSYAltostratus
Steps to enable Client-SSL:
Generate CSR: Login to F5 active device Go to System ›› File Management : SSL Certificate List Click create button and update the details as mentioned below Note: In common name you need to mention FQDN name. If it is not a wildcard certificate then you need to mention as FQDN name. If it is wild card mention * before FQDN. Always select key size as 2048.
B. Download the CSR file and send to vendor
C. Vendor will provide following certificates.
. Website certificate --This one you need to import . AddTrustExternalCARoot . UserTrustSAAddtrustCA . Trusted Secure Certificate Authority
D. Now import the certs as mentioned below. System ›› File Management : SSL Certificate List ›› Import
E.Key import details are mentioned below. System ›› File Management : SSL Certificate List ›› Import
Both Cert and key should be same name
Once cert, key and intermediate certs are imported we need to create SSL client profile
F.Configure new SSL certs under Client profile
Create a new profile as mentioned below Go to Local Traffic ›› Profiles : SSL : Client In Certificate, key and chain select the files which you created Then click Add Once certificate key chain is update, click finished
Most of the times you need to update intermedaite certificate. Then you need to bundle certificates other than website certificate and import and call in SSL client profile chain section.
- RaghavendraSY
Server SSL:
Just apply default server ssl profile "serverssl-insecure-compatible" to virtual server.
or
You can create Server SSL profile using same certifcate and key which you applied for ssl client profile.
- Gicu_337843
Kevin, 2way ssl working like your config. Thank you. Please help me to configure automatic update for crl file in F5 version 13.
- Kevin_Stewart
Gicu,
There is no auto-update function for CRLs. Most admins will create an external monitor or periodic iCall script to update the CRLs. It's also worth noting that, if at all possible, OCSP and OCSP stapling are superior methods for certificate revocation.
- Gicu_337843
Kevin sorry for my disturb. Pls help me if you know. I have tried below command of tmsh shell and working: modify sys file ssl-crl ROOT_OMDEXT_CA.crl source-path https://dl.dropboxusercontent.com/u/xxxxxx/CA_XCA_Root.crl
I have tried the same command of icall script but not working: create script omdcrl { app-service none definition { tmsh::modify sys file ssl-crl XCA_CRL.crl source-path https://dl.dropboxusercontent.com/u/xxxxxx/CA_XCA_Root.crl } description none events none }
if I change source-path as file:/shared/tmp/CA_XCA_Root.crl it is working
- Kevin_Stewart
It may just be that you can't retrieve it from a dropbox link. I just tested with a generic Apache server and it worked fine.
