Forum Discussion
NimbostratusClient Authentication for 2 Way SSL client SSL profiles
Hello ,
I have a question regarding the 2 Way Client SSL profile. Currently we are using a Client SSL profile for one of the Virtual Server, we are using the Client authentication enabled to have the the client certificate to be presented, we have created a bundle with few of the know CA's with their root and intermediate and added that to the "Trusted Certificate Authorities" & "Advertised CA's". This current setup works absolutely fine. I have been asked an Application team, that is there anyway to restrict the connections only if we gave the actual client certificate?? Since we currently have the root and intermediate certs in the LB trust bundle , whoever is having those will be able to connect, but we want to restrict the connections by having the actual client certificate to be trusted ,not with the root and intermediate. we did try adding a client certificate to the LB and remove the root and intermediate from the LB trust, but it never worked. not sure whether this can be implemented or not.
Thanks.
Greetings,
"we want to restrict the connections by having the actual client certificate to be trusted ,not with the root and intermediate."The signing certificates (root / intermediate) are used only to verify other (client) certificates. By associating the signing certificates in the profile, you are trusting them and the certificates they sign.
"we did try adding a client certificate to the LB and remove the root and intermediate from the LB trust, but it never worked. not sure whether this can be implemented or not."
If you want to limit the connections to the signed client certificate, ensure the LTM Client SSL profile Client Authentication > Client Certificate option is set to "Required".
Hope this is helpful!
Kevin
