Forum Discussion
Muhammad_Irfan1
Cirrus
CirrusClient authentication require problem
Currently my client side profile is set to request. The certificate issue to me by CA XXX. CA XXX have a chain of three certificates 2 intermediate and 1 root certificate. I converted those 3 CA cert...
nitass
Employee
EmployeeAnd i have CA xxx chain in my trusted CA bundle so if i set client authentication to required will it work?
yes
Do i need to put the client certificate as well in the bundle?
no
Muhammad_Irfan1In which format I will have to put certificate in browser? and in which tab, personal tab? The certificate presented by F5 to client is CN=10.50.171.5, During client authentication should the client presenting certificate should also have CN= 10.50.171.5? Can I use that certificate in browser which I am using in F5 client profile? can one certificate be used in all client machines or each client will have an individual ceritificate only issued to him- Muhammad_Irfan1I opened a support case, he generated tcpdump and ssl dumps, and he said that looks like the client is not presenting the certificate which F5(server) is requesting.
- nitass>In which format I will have to put certificate in browser? normally i use pkcs12 but whatever certificate file format it accepts is fine. >and in which tab, personal tab? yes The certificate presented by F5 to client is CN=10.50.171.5, During client authentication should the client presenting certificate should also have CN= 10.50.171.5? cn should be different (they authenticate different things). >Can I use that certificate in browser which I am using in F5 client profile? of course. >can one certificate be used in all client machines or each client will have an individual ceritificate only issued to him either is okay. >he said that looks like the client is not presenting the certificate which F5(server) is requesting. didn't you set peer-cert-mode to require? by the way, have you seen ssl profile article here? it may be helpful. SSL Profiles by Jason Rahm and John Wagnon https://devcentral.f5.com/s/articles/ssl-profiles-part-1
- Muhammad_Irfan1Thanks for the reply and article. Yes I have search a lot still stuck. in the article I don't see anywhere that client private key is used. Only client certificate is used. But personal tab only accepts pfx format which also includes private key. Can you tell me that where where I have to put certificate in client windows machine? Only personal tab that's all? Browser already have intermediate and root certificates. Also F5 have intermediate and root certificates.
- Muhammad_Irfan1Which CN the client certificate should have? His host-name?
- nitass>But personal tab only accepts pfx format which also includes private key. >Can you tell me that where where I have to put certificate in client windows machine? Only personal tab that's all? yes >Which CN the client certificate should have? His host-name? i understand client certificate's cn does not matter as long as it (certificate) is valid.
- Muhammad_Irfan1By valid what does it means? For example my issuer is mobilink. F5 have CA chain of mobilink and trust mobilink certificates. So if mobilink issue any certificate to client then client can be authenticated by F5? There has be to some think unique in client certificate for my VS. Otherwise client will say that anyone have any of our certificate can access the VS.
