For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Wolf46_144992's avatar
Wolf46_144992
Icon for Nimbostratus rankNimbostratus
Sep 25, 2014

CA Profile and Machine Cert Authentication

Hi guys,

 

We are trying to configure a CA profile and subsequently making use of Machine Cert Authentication on an APM profile. So far we have done the following:

 

Our certificates are currently issued from an internal CA and the Root and the Issuer CA are the same server. We have exported the Root Certificate and imported it into the F5 appliance. Then we have created an SSL Profile for the Certificate authority (Our_Root_CA).

 

Afterwards we assigned a Machine Cert Auth with the following configuration:

 

Certificate Store Name: MY

 

Certificate Store Location: CurrentUser

 

CA Profile: /Common/Our_Root_CA

 

OSCP Responder: None

 

Save Certificate in Session Variable: Disabled

 

Allow User Account Control right elevation prompts: No

 

Match subject CN with FQDN: No

 

Match subject Alt Name with FQDN: empty

 

Match Issuer: empty

 

Match Serial Number: empty

 

However every time we try to authenticate the certificate, APM is returning "Session variable 'session.check_machinecert.last.result' set to '-2'"

 

Can you please help me out?

 

BIG-IP Access Policy Manager (APM)
security

1 Reply

  • MS's avatar
    MS
    Icon for Nimbostratus rankNimbostratus
    Sep 25, 2014

    Hi, In case you want to use Machine cert authentication please try out the following. In your config please change the following

     

    Certificate Store Location: LocalMachine

     

    CertifcateMatchrule: Issuer( add your issuer info CN= etc)

     

    That should work