Forum Discussion
C3D, Client Certificate passing issue
For application new requirement, we need to pass the client certificate to backend server. We enabled the C3D option on the client and server SSL profile.
I created the CA certificate and key (https://support.f5.com/csp/article/K14499) and attached to Server SSL profile.
The below be the client and Server SSL profile (https://support.f5.com/csp/article/K14065425) . Refer the below settings.
Prerequisites:
• You must have a CA-Bundle used to validate incoming client certificates. --> Used Company's Certificate Bundle
• You must have a Certificate and Key for Reverse Proxy --> Current application certificate
• You must have a CA Certificate and Key that has the ability to create new certificates --> Created CA certificate and key from F5 (https://support.f5.com/csp/article/K14499)
But when the client try to access application, we are getting SSL handshake error.
Any configuration need to correct on F5 or ?
Appreciate your help on this.
021-07-12 01:34:31,510 +0000#INFO#com.sap.scc.rt#com.sap.scc.servlets.AccessControlServlet$3#
#SccEndpointValidator has thrown exception for HTTPS://141.122.200.74:64801: Received fatal alert: handshake_failure javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2021-07-12 01:34:31,510 +0000#INFO#com.sap.scc.ui#com.sap.scc.servlets.AccessControlServlet$3# #Error when checking local connectivity to gatewaypp:64801 --> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Hello Daniel,
Still I am not clear the CA certificate which i created through the LTM ((https://support.f5.com/csp/article/K14499) work or not?
I provided the CA certificate which created through LTM to application owner to upload those into their trusted store.
Now I am waiting for their test result.
I will keep you update on this.
Regards,
Kannan.
Hello Kannan,
how you describe it, it sounds ok. The certificate created in "Creating a trusted CA key and certificate", Step 3: Generate a CA certificate by using the following command syntax" is the one that should be trusted by the application server.
KR
Daniel
Hello Daniel,
Thanks for your update.
First: The CA key/certificate you are using for C3D is not capable to create new certificates (must be type: Issuing CA Certificate).
--> I am not sure how to create Issuing CA certificate. I created the CA certificate and key (https://support.f5.com/csp/article/K14499) and attached to Server SSL profile.
When I tried to capture the logs, the F5 is not sending any certificate to backend. Refer the attachment.
Second: the application / web server does not trust certificates issued by this Issuing CA.
Did you import this certificate on the application / web server as a trusted CA?
--> I provide the CA certificate (which created above) to the application owner to put in the trusted CA list.
But, if eel, first we need to fix the above issue ( F5 is not sending client certificate to backend)
In the Prerequisites section of K14065425 it is stated that:
- You must have a CA-Bundle used to validate incoming client certificates.
- You must have a Certificate and Key for Reverse Proxy.
- You must have a CA Certificate and Key that has the ability to create new certificates.
This CA Certificate and Key must be used in the Server SSL profile in the CA Certificate and CA Key fields. And the backend server must trust certificates issued by this CA.
Hi Kannan,
your config looks right. From my memory there are two things that could possibly be wrong.
First: The CA key/certificate you are using for C3D is not capable to create new certificates (must be type: Issuing CA Certificate).
Second: the application / web server does not trust certificates issued by this Issuing CA. Did you import this certificate on the application / web server as a trusted CA?
You can do a tcpdump between the F5 and the application / web server and you will see the TLS handshake, from the handshake / tcpdump you can export the certificates that the F5 sends to the backend and check if they are issued properly.
KR
Daniel
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com