F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Edgar_Palamarch's avatar
Edgar_Palamarch
Icon for Nimbostratus rankNimbostratus
Oct 14, 2015

Client Authentication Based On URI

Hello, Currently, to configure client authentication on a URI, we create 2 client SSL profiles (one of which is parent for the other) and 2 iRules that check a data group against the URI list. The ...
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 16, 2015

The client will present a client certificate. The client SSL profile must just a) request a client certificate, and b) validate that client certificate.

 

The first (requesting a client certificate) is handled with the Client Certificate option under the Client Authentication section of the client SSL profile. Set it Require if you want to request a client certificate in the SSL handshake, but fail closed if they don't send one. Set it to Request if you want to request a client certificate in the SSL handshake, but fail open if they don't send one.

 

The second (validating the client certificate) is handled by the Trusted Certificate Authorities option also in the Client Authentication section. This needs to be a CA certificate, or bundle of CA certificates that the BIG-IP needs to establish a trust chain from the client's certificate all the way to the self-signed root CA.