APM - certificate based authentication

Question

Hi,&nbsp;
I am looking for some help with APM. I am new to APM and looking for advise and comments on the below solution required. Apologize if I am putting this in wrong form.&nbsp;
Currently we have a SharePoint application published via APM to internal group of users which uses AD authentication. We have a new requirement to make it available via internet for external user (using corporate laptop and mobile devices). We have decided to add additional security via certificate. I have used Client Cert Inspection to validate the certificate of end user device and its working in the test environment. But I have below to points which I need suggestions:&nbsp;
1. For mobile devices the certificate needs to be exported after validation of the mobile number. - Any suggestion on how this can be implemented. I found - Google Authenticator Token Verification, but can this be implemented in corporate environment?&nbsp;
2. The device certificate will expire after six months and then it needs to be renewed. - How I can add this in the access policy, will Client Cert Inspection function perform this or I need to put additional checks.&nbsp;
 &nbsp;
Regards,&nbsp;
AJ&nbsp;

tiwang_122270 · Answer

Hi AJ
I have a similar problem - can you tell me how you get the "client cert inspection" to work - which steps where needed?

kevin_stewart · Answer

Super old post, but here are some thoughts.&nbsp;

For mobile devices the certificate needs to be exported after validation of the mobile number. - Any suggestion on how this can be implemented. I found - Google Authenticator Token Verification, but can this be implemented in corporate environment?

Client certificate and Google Authenticator are generally different technologies (cert vs. one-time passcode). The client certificate, and private key, must be installed and accessible to whatever mobile application that needs it. Where that is depends on the mobile platform. For iOS, there's a central key store that Safari uses, but some applications actually have their own key stores. &nbsp;

The device certificate will expire after six months and then it needs to be renewed. - How I can add this in the access policy, will Client Cert Inspection function perform this or I need to put additional checks.

I want to first point out that a client certificate and a device certificate are different things. Device certificates are generally transparent to the user. As for expiration, that's a common problem often addressed by security policies and/or protocols like Simple Certificate Enrollment Protocol (SCEP).&nbsp;
Tiwang, are you looking for specific guidance on setting up client certificate authentication in APM, or something specific to mobile platforms?&nbsp;

asim_sharfuddin · Answer

Hi,&nbsp;
Did you implement certificate based authentication? Please share your results.&nbsp;

Forum Discussion

APM - certificate based authentication

3 Replies

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Not seeing the latest F5OS-A when running Journeys

Related Content

Automating Certificate Management on F5 BIG-IP

APM Clientless certificate authentication

Demystifying iControl REST Part 6: Token-Based Authentication

BIG-IQ Client Certificate (PKI) Authentication

Automating ACMEv2 Certificate Management on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS