Forum Discussion

Sarah's avatar
Sarah
Icon for Cirrus rankCirrus
Apr 14, 2023

C3D forged certificate

Hello Community, I have a service that requires client authentication "mutual TLS" between the app server and the client. Since BIG-IP is in between, I configured my virtual server to use C3D (Clie...
application delivery
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Apr 18, 2023

    Here's another resource for C3D configuration: https://community.f5.com/t5/technical-articles/ssl-orchestrator-advanced-use-cases-client-certificate/ta-p/286005, It's specific to SSL Orchestrator integration, but goes into details on the C3D setup and various use cases.

    Per your question, C3D forges a new client certificate, signed/issued from your local CA. During the forging process, C3D will copy important attributes over from the real certificate, including subject CN, any extensions you specify to be copied in the "Certificate Extensions" setting in the server SSL profile, plus any that you may inject via SSL::c3d iRules. It won't have the same issuer, fingerprint, thumbprint, etc. because it's effectively a new certificate from a different issuer. Your internal application needs to be able to validate client certificates from this new/local CA. 

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP

I guess I am late to the party, but I wanted to add some observations from my experience.
In the Server SSL profile where you configure the CA Certificate & Key it is important to use a certificate that has ability to issue new certificates, for example a SubCA certificate.
The BIG-IP will then use this cert to issue a new certificate based on your client cert and it will send this cert plus the SubCA cert to the pool member.

On the pool member, I used NGINX in my test, you need to store the chain (Root and SubCAs) the file referenced in ssl_client_certificate directive.

KR
Daniel

 

 

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Apr 20, 2023

Great point Daniel_Wolf.  The minimum qualifications for a certificate authority would be:

Basic Constraints: critical
CA:TRUE
Key Usage:
   Digital Signature (digitalSignature)
   Certificate Sign (keyCertSign)

It doesn't have to be a subordinate CA. Can be a root. But it's certainly more practical (and secure) to use a subordinate CA for these functions.

 

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Apr 23, 2023

    Kevin_Stewart - IMHO this bit of information should be mentioned in the K14065425 article. Not some knowledge that is handed-down from seasoned F5 master to padawan. 🙂