Forum Discussion
Basic Machine Cert inspection in APM Policy
Hi Guys
Just a newbie question here I guess. I need to setup a basic Machine Cert Auth action in my access policy. I've read the documentation but it just describe it, just not naming conventions etc.
I've checked my PC and I get a valid machine certificate and its stored in Certificates (Local Computer)\Personal\Certificates. Its a valid machine cert issued to the machine with the correct FQDN and issued by my Subordinate CA.
In the Machine Cert Auth action, I'm not sure what to name the Certificate Store. I've tried personal and personal\certificates but I'm not sure if its actually finding the certificate.
Certificate Store Location is LocalMachine. CA Profile is /Common/certificateauthority (all default settings - can't seem to select a valid CA cert inside this profile it just keeps resetting to none) OCSP Responder is None Certificate Match Rule SubjectCN Match FQDN
It doesnt need to be fancy just yet. All I want it to do is check that it has a valid machine cert issued from our internal CA and that it hasn't expired. THen it passes on to the next auth method.
No idea where to start really, the only error I can see if the reports is machinecert_auth_ag.result -2
I can't even tell if the policy is finding the certificate.
HELP!? :)
- Pete_L_112517Nimbostratus
Yep, I know what you mean (I think) but apologies I think my terminology is wrong.
I have a list of certs, and some are external CA's which aren't we want to use. I had to "chain" some external certs for a different purpose. In this instance I only need to verify against an internal CA, which I have the certificate for on the appliance.
The issue is that when I select any certificate in this list, the selection won't stick.
Here is a screenshot of what I'm trying to change (had to black out some info that made me identifiable as I can't upload for some reason)
- Kevin_StewartEmployee
When you say "list of all my device certs and chain certs", are you actually referring to CA certs? This selection should only contain CA certs, and should contain all CA certificates in the path to establish a full chain of trust. If you have more than one CA in that path, then you need to create a text file bundle of all of these certs (in base64 PEM format).
- Pete_L_112517Nimbostratus
Thanks Kevin, thats where I thought the problem has been - no trusted CA to actually verify the cert it see.
The issue I am having with the process now is when I create a CA profile, in the drop down of Trusted Certificate Authorities, I can see the list of all my device certs and chain certs but when I select one and goto save the profile, the selection in that dropdown just reverts back to "none" every time.
I am running an older version of software (11.1 HF4) so I might have get an outage to update the software to see if this is a bug in this version.
- Kevin_StewartEmployee
I would make the following adjustments to the Machine Cert Auth agent:
Certificate Store Name: MY
Certificate Store Location - LocalMachine
CA Profile - it should be a SSL certificate authority profile that contains a CA cert (or bundle of CA certs) that can validate the machine cert. This profile is created in the GUI under Local Traffic - Profiles - SSL - Certificate Authority
OCSP Responder - none
Certificate Match Rule - any (for now)
Save Certificate in a Session Variable - enabled
Allow UAC right elevation prompts - yes
- Pete_L_112517Nimbostratus
Deleted the Machine Cert Auth Action, and re-added it to the policy and get the exact same result.
The certificate store is back as "MY" but still not reference in the logs that it has found a certificate.
I've just re-added the Anti-Virus inspection, and its passing that so I know for sure that it is able to inspect the client in some way.
- Kevin_StewartEmployee
If your machine certs are in the default location, the Certificate Store should just be the string "My". Don't ask me why...
All of the other settings can be left at default to start with.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com