For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

theXfactor82_91's avatar
theXfactor82_91
Icon for Nimbostratus rankNimbostratus
Oct 02, 2015

APM SSL_VPN Certificate Check Failing

Some of our Corporate laptops have multiple local machine Certificates from the same CA installed on them. We are using these certificate to verify that it is a Corporate device when attempting to establish a VPN tunnel in via APM.

 

We are getting the error message "X509_verify_cert failed: error : 10 at depth 0, error message:certificate has expired" because the APM is finding the expired cert and not the new one on the laptop. Is there anyway to tell the APM to keep checking the LoaclMachine store location for the second Certificate? We are trying to find a work around until our Support team can remove the expired Certs from all the laptops.

 

BIG-IP Access Policy Manager (APM)
security

2 Replies

  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Oct 02, 2015

    Unfortunately there isn't much you can do from the APM side other than try to narrow it down to only find the valid search by looking for the issuer (which I assume will match both). APM will find the first certificate that matches the criteria in the VPE Action options and then test that certificate. If the expired certificate is found first then the process will error as that certificate is expired.

     

    Would the certificates possibly be issued by a different CA? If so then you can limit the scope of the search.

     

    If not it appears you need to advise your users to delete the expired certificate if they have issues.

     

    Seth