For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

vandenhoutenp_9's avatar
vandenhoutenp_9
Icon for Nimbostratus rankNimbostratus
May 09, 2014

CA Profiles and Machine Cert Checks

Hi guys,

 

I'm trying to configure our access policy to check and validate a machine certificate installed on the end user laptops. This is what I've configured:

 

  1. A CA profile referencing the certificate for the Root CA (I've also tried using the Issuing CA)
  2. A Machine Cert Auth check in the access policy using the following options:
    • Certificate store name: MY
    • Certificate store location: LocalMachine
    • CA profile: Profile configured in point 1
    • OCSP responder: None
    • Certificate match rule: Issuer (CN=COMPANY Root CA, OU=Certificate Authorities, DC=companyname, DC=com)

The certificate check is failing and I get a result of -2. Regarding the certificate match rule, I've tried the various options to see whether or not it makes a difference but unfortunately it doesn't.

 

Furthermore in the APM logs I see this line:

 

MachineCert Agent: Init failed in '/Common/Machine_Cert_Test_act_machinecert_auth_ag' reason 'Loading CA file failed'

 

The error suggests it could be an issue with my CA profile. Does the CA profile need to reference the Root CA and Issuing CA as a bundle rather than one or the other as individual certificates?

 

Thanks

 

Peter

 

BIG-IP Access Policy Manager (APM)
deployment
design
management
security

1 Reply

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 09, 2014

    At a minimum, you should definitely need the entire trust chain in your CA profile.