Forum Discussion

Claes_16473's avatar
Claes_16473
Icon for Nimbostratus rankNimbostratus
Mar 29, 2010

BIG-IP SSL monitor with client certificate ?

Hi,

 

 

We are for the moment planning to load balance a number of new systems through the BIG-IP.

 

 

It will be overall https-traffic but the SSL-sessions are not going to be terminated in the load balancer.

 

 

I'm today using SSL-monitors against systems where the application is not requiring a client certificate and it works completely OK.

 

 

The security product protecting the coming applications is however as a part of the SSL session setup requesting a client certificate.

 

So I have to configute a SSL monitor to use a client certificate and I have a few questions:

 

 

I'm now going to order the certicates for the BIG-IP and I've seen the SOL7532 instruction.

 

 

1) After combining the certificate and key to a single file, is there really a possibility in the monitor configuration to specify a "fully qualified path" as the instruction says ? What I see for the moment in the certificate drop down list is only the names ca-bundle and default.

 

 

2) If I will be able to specify the combined file in the certificate field, then I suppose that I should leave the client key field blank?

 

 

3) I can order the certicate in PEM/base 64-format. Our CA authority would possibly require me to order the certificate with a passphrase for the key I suppose. Would that work for the monitor or do I have to get a certicate/key without a passphrase?

 

I can't see anywhere to configure a passphrase for a monitor.

 

 

4) I have requested to get the certificate/key to be used identically on both the BIG-IP's in the HA-pair, but the CA would prefer to have a unique certicate/key for each BIG-IP.

 

Would that work with the syncronization? I've told them that the syncronization will include the certication files and overwrite what's in the unit you are syncronizing against and that requires me to use only one combination of the certificate/key files for both machines. Am I right?

 

 

Please advise, regards

 

 

Claes
management
monitoring
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 29, 2010
    Hi Claes,

     

     

    Which LTM version are you running? I think the options for HTTPS monitors have changed slightly in recent versions.

     

     

    1) After combining the certificate and key to a single file, is there really a possibility in the monitor configuration to specify a "fully qualified path" as the instruction says ? What I see for the moment in the certificate drop down list is only the names ca-bundle and default.

     

     

     

    In 10.1, you'll need to import the client cert and key separately (or just copy them to /config/ssl/ssl.crt and /config/ssl/ssl.key respectively) and then select them in the GUI for the monitor.

     

     

    2) If I will be able to specify the combined file in the certificate field, then I suppose that I should leave the client key field blank?

     

     

     

    I don't think you can include them together in the same file. I think you must specify the cert and key separately in the monitor config.

     

     

    3) I can order the certicate in PEM/base 64-format. Our CA authority would possibly require me to order the certificate with a passphrase for the key I suppose. Would that work for the monitor or do I have to get a certicate/key without a passphrase?

     

    I can't see anywhere to configure a passphrase for a monitor.

     

     

     

    It doesn't look like the HTTPS monitor supports a passphrase for a key. Even if the key was originally created with a passphrase, you can remove it using openssl on the LTM command line:

     

     

    openssl rsa -in /config/ssl/ssl.key/client.encrypted.key -out /config/ssl/ssl.key/client.decrypted.key

     

     

    4) I have requested to get the certificate/key to be used identically on both the BIG-IP's in the HA-pair, but the CA would prefer to have a unique certicate/key for each BIG-IP.

     

    Would that work with the syncronization? I've told them that the syncronization will include the certication files and overwrite what's in the unit you are syncronizing against and that requires me to use only one combination of the certificate/key files for both machines. Am I right?

     

     

     

    When you sync the config, the shared configuration, including SSL certs and keys, will be loaded on the peer. So you can only have one cert/key per pair of units. The CA might want you to pay for multiple certs/keys, but functionally it makes no difference.

     

     

    Aaron
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 29, 2010
    I think SOL7532 isn't accurate for 10.1 according to what I see in the GUI. You do need to specify the passphrase for the key when prompted when running the openssl command. And I do think you'll need to remove the passphrase from the key in order to use it in the monitor as it doesn't look like the monitor accepts a passphrase.

     

     

    I don't have a 9.4.4 box readily available, but the options might be slightly different. I don't remember seeing an option for specifying a key passphrase in the GUI for 9.4.4.

     

     

    Aaron
  • Claes_16473's avatar
    Claes_16473
    Icon for Nimbostratus rankNimbostratus
    Mar 29, 2010
    Maybe SOL7532 isn't accurate for 9.4.4 as well. The reason for my question nr 1 was that it doesn't seem to be possible in the GUI for the monitor to specify a "fully qualified path" for the suggested combined file. I have one drop down list for the certicate and another one for the key. CR77846 is probably resolved in 9.4.4.

     

    But now I've got my answers.

     

    -Better to get a certicate/key without passphrase, if not possible, I can remove it.

     

    -I'll need only one certificate for the HA-pair.

     

     

    Thank you for your assistance Aaron!

     

     

    Best Regards

     

     

    Claes