F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Muhammad_Irfan1's avatar
Muhammad_Irfan1
Icon for Cirrus rankCirrus
Nov 13, 2014

Client authentication fails when set to require.

I have put client authentication to require.

 

I have CA chain in trusted certificates authorities and a certificate and key in certificate and key place. I exported both certificate and key out of f5 and converted it to .pfx and put in client browser. Also all the CA are also in browser.

 

When i set client authentication to request green lock is shown on browser but when i set it to require handshake fails.

 

Please help me. I can give all the date anyone require.

 

1 Reply

  • Thomas_Schocka1's avatar
    Thomas_Schocka1
    Icon for Altocumulus rankAltocumulus
    Nov 13, 2014

    Hi Muhammad,

     

    The idea is that there are two endpoint-certificates: one for the server, in this case the F5's client-ssl profile, and one for the client, in this case your browser. Both certificates should be signed by a CA, it doesn't have to be the same CA though. You could theoretically use the same certificate for both, but that makes little sense.

     

    The client-ssl profile allows you to configure a few things:

     

    • in order to have the F5 act as 'server' it needs:
      • a certificate (containing the public key)
      • the corresponding private key
      • the chain of certificates up to the root, excluding the root certificate itself.
    • in order to have the F5 act as 'server that requests a client certificate' it also needs:
      • to be enabled to request or require a client certificate (request means that when it fails, it simply ignores that, require means that you'll get a handshake failure message)
      • a CA to validate the certificate that your browser will send (Trusted Certificate Authorities)
      • a list of CAs to tell your browser which certificates it can try sending (Advertised Cettificate Authorities)

    If the F5 says that the browser must (=>setting on require) send a certificate that was signed by a CA with common name 'TEST' (Advertised Certificate Authorities), but the browser doesn't have such a client certificate, it will simply fail to send and the F5 will abort the connection with a handshake failure message.

     

    Does this answer your question?

     

    Kind regards,

     

    Thomas Schockaert