Forum Discussion

Zebra_131802's avatar
Zebra_131802
Icon for Nimbostratus rankNimbostratus
Dec 03, 2013

APM Machine Cert Auth unable to find the private key

I have been doing some testing within a customer environment for a SSL VPN solution. As part of the solution, a machine cert must be checked and validated before the logon page. My problem is that everytime the process exits through the "Found" rule, which according to F5 doc means no private key has been found. But my testing is based on a standalone edge client on windows 7 that includes the machine checker service, I also use local admin for all testing.

 

Looking into the cert itself, it definitely has an associated private key, there is an interesting issue that the key has a blank subject field, the DNS FQDN is specified in the SAN field. I doubt whether this is related to the issue that edge client can't find the private key.

 

Has anyone seen this before.

 

Thanks in advance.

 

BIG-IP Access Policy Manager (APM)
design
machine certificate
security
virtualization
  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Dec 04, 2013

    The only time I have seen this is if the user doesn't have permission to the private key.

    To troubleshoot you need to do a few things...

    Enable client logging on the client machine by following the instructions on the following page by adding the registry entry described. http://support.f5.com/kb/en-us/solutions/public/12000/600/sol12639.html

    Using the Windows-based registry
1. Open the Registry Editor by typing the following command from the Run prompt:
    regedit
2. Expand the HKEY_CURRENT_USER tree.
3. Expand the Software tree.
4. Expand the F5 Networks tree.
5. Expand the RemoteAccess tree.
6. Click the Logging tree.
    Note: If you see the LogLevel DWORD value in the right panel, skip to Step 11.
7. Right-click on the Logging tree.
8. Click New. 
9. Click DWORD Value.
10. Type LogLevel in the box, and then press the Enter key.
    Note: Registry value names are case sensitive.
11. In the right panel, double-click LogLevel. 
    A pop-up window displays.
12. Select the Decimal for the base option.
13. In the Value data: box, type the logging level. 
    Type 63 to set debug logging level.
    Type 31 to set normal logging level.
14. Click OK.

    You will then want to navigate to 

    %userprofile%\Local Settings\Temp
    or 
    %temp%
    on Windows XP, or to 
    %userprofile%\AppData\Local\Temp
    or 
    %temp%
    on Windows 7 or Vista.

    Look for the log file 

    f5mcertcheck.txt
    and remove it. Connect to the APM and after it fails review the log file. If you would like you can post it here and we can try to see what is happening to cause your problems.

    Regards,

    Seth Cooper