Forum Discussion
CirrusClient authentication through SSL certificate.
What i want is that only those client can access the Virtual Server which have the SSL certificates. I generated .CSR file on F5 and gave it client they generated a certificate.crt for me which i put in that certificate which didn't had certificate but had private key. Now i have certificate.crt and certificate.key.
I created client side SSL profile put certificate.crt in certificate, put certificate.key in key. In client authentication i set require, in trusted certificated authorities i put chain bundle of intermediate and root certificate of my certificate.
So now what i will put in client computer to authenticate? i put certificate.crt in I.E browser. I put intermediate certificates in intermediate trusted and put root certificated in trusted root authorities in browser.
Now the problem is that when i set authentication to request it works and SSL handshake is successful but statistics shows invalid certificate. But when i set it to require everything stops and handshake fails.
Please tell me what should i do? what should i put in client computer?
2 Replies
If you just put the certificate.crt in the IE browser, your not going to be able to authenticate to the F5. You need to install the private key also. Convert the client .crt and .key into a .p12 or .pfx and install in the browser.
Convert a PEM certificate file and a private key to PKCS12 (.pfx .p12) openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Muhammad_Irfan1ahaa, is this the reason i am getting this error in open SSL? OpenSSL> s_client -connect 10.50.171.5:7777 -CAfile "F:\irfan-cert\CARoot.cer" Loading 'screen' into random state - done CONNECTED(000000B4) depth=3 CN = Mobilink-PKI-Root verify return:1 depth=2 CN = Mobilink-PKI-SubCA verify return:1 depth=1 DC = pk, DC = net, DC = mobilink, CN = Mobilink-PKI-ISS1 verify return:1 depth=0 C = PK, ST = punjab, L = lahore, O = mobilink, OU = FRF, CN = 10.50.171. 5, emailAddress = abbas.malik@mobilink.net verify return:1 7084:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s 3_pkt.c:1256:SSL alert number 40 7084:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177 : --- Certificate chain 0 s:/C=PK/ST=punjab/L=lahore/O=mobilink/OU=FRF/CN=10.50.171.5/emailAddress=abba s.malik@mobilink.net i:/DC=pk/DC=net/DC=mobilink/CN=Mobilink-PKI-ISS1 1 s:/DC=pk/DC=net/DC=mobilink/CN=Mobilink-PKI-ISS1 i:/CN=Mobilink-PKI-SubCA 2 s:/CN=Mobilink-PKI-SubCA i:/CN=Mobilink-PKI-Root 3 s:/CN=Mobilink-PKI-Root i:/CN=Mobilink-PKI-Root --- Server certificate -----BEGIN CERTIFICATE----- MIIF0TCCBTqgAwIBAgIKLNi+LAABABv8OzANBgkqhkiG9w0BAQUFADBfMRIwEAYK CZImiZPyLGQBGRYCcGsxEzARBgoJkiaJk/IsZAEZFgNuZXQxGDAWBgoJkiaJk/Is ZAEZFghtb2JpbGluazEaMBgGA1UEAxMRTW9iaWxpbmstUEtJLUlTUzEwHhcNMTQx MTA1MTE1MjAzWhcNMTUwMzI1MDY0MzQ1WjCBjzELMAkGA1UEBhMCUEsxDzANBgNV BAgTBnB1bmphYjEPMA0GA1UEBxMGbGFob3JlMREwDwYDVQQKEwhtb2JpbGluazEM MAoGA1UECxMDRlJGMRQwEgYDVQQDEwsxMC41MC4xNzEuNTEnMCUGCSqGSIb3DQEJ ARYYYWJiYXMubWFsaWtAbW9iaWxpbmsubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQCmsoRDy/xBlj0cN1X/V7On63Nr8+SoH58Vnx6Fszv4BvWafjVbmo4S P35SNKN/azzHf5WnvFvsk/u2Rl1942qKR6UEY4utbPwo9GhM4LX3FX4z1ufLJiWk xJOaux1t9iNqQTwVFhVhrommr4Qt3oWLIdnEzr+CUK5WUezD7E0lNQIDAQABo4ID YTCCA10wHQYDVR0OBBYEFBEr2m+i79e6Qyrxrp7qXT6c2Dm8MB8GA1UdIwQYMBaA FAzu6jXBTbHN96A6WMH6x+4k2DBuMIIBWgYDVR0fBIIBUTCCAU0wggFJoIIBRaCC AUGGgcRsZGFwOi8vL0NOPU1vYmlsaW5rLVBLSS1JU1MxLENOPU1PQklMTkstSVNT MSxDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMs Q049Q29uZmlndXJhdGlvbixEQz1tb2JpbGluayxEQz1uZXQsREM9cGs/Y2VydGlm aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1 dGlvblBvaW50hkRodHRwOi8vbW9iaWxuay1pc3MxLm1vYmlsaW5rLm5ldC5way9D ZXJ0RW5yb2xsL01vYmlsaW5rLVBLSS1JU1MxLmNybIYyaHR0cDovL2NlcnQubW9i aWxpbmsubmV0L1BraS9Nb2JpbGluay1QS0ktSVNTMS5jcmwwggE+BggrBgEFBQcB AQSCATAwggEsMIG3BggrBgEFBQcwAoaBqmxkYXA6Ly8vQ049TW9iaWxpbmstUEtJ LUlTUzEsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZp Y2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bW9iaWxpbmssREM9bmV0LERDPXBrP2NB Q2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9y aXR5MHAGCCsGAQUFBzAChmRodHRwOi8vbW9iaWxuay1pc3MxLm1vYmlsaW5rLm5l dC5way9DZXJ0RW5yb2xsL01PQklMTkstSVNTMS5tb2JpbGluay5uZXQucGtfTW9i aWxpbmstUEtJLUlTUzEoMSkuY3J0MAsGA1UdDwQEAwIFoDA8BgkrBgEEAYI3FQcE LzAtBiUrBgEEAYI3FQiDstUxz68uhZWBLYKT9VSG65EGAIWgvAqEwb1PAgFlAgEE MBMGA1UdJQQMMAoGCCsGAQUFBwMBMBsGCSsGAQQBgjcVCgQOMAwwCgYIKwYBBQUH AwEwDQYJKoZIhvcNAQEFBQADgYEA4SoS7d+2saQmx3n2/d+eoBJDzagrYQYGJFle QH4vykZTmT4TIayMEJOqYq5fIUcZ6UlMYIDW5Uyiwa0iObXTi+1FA1ZB1extnPfl CAv4Rqs0V2HA5vzmS3Ge8aJ0KjJXXlZOZCHpAG3pJsdVZLtWbCu/8pRAOd8iGRgh PdNNXJg= -----END CERTIFICATE----- subject=/C=PK/ST=punjab/L=lahore/O=mobilink/OU=FRF/CN=10.50.171.5/emailAddress=a bbas.malik@mobilink.net issuer=/DC=pk/DC=net/DC=mobilink/CN=Mobilink-PKI-ISS1 --- Acceptable client certificate CA names /DC=pk/DC=net/DC=mobilink/CN=Mobilink-PKI-ISS1 /CN=Mobilink-PKI-SubCA /CN=Mobilink-PKI-Root --- SSL handshake has read 6337 bytes and written 198 bytes --- New, TLSv1/SSLv3, Cipher is RC4-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : RC4-SHA Session-ID: 16FA60494CC614EA972C45C5784E64ECAB0E0296F931240BC0F30F65B34E2918 Session-ID-ctx: Master-Key: 519B4A6034B66FDC409514D6659ACFEECEC60E8B295D7E0FF7D96B3C74889071 594D5530DF2C9E6823BD0838687761EE Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1415789671 Timeout : 300 (sec) Verify return code: 0 (ok) --- error in s_client OpenSSL> Thank You sir, you gave me hope again. I am near to go in production. I got some problem again in this please reply on this thread i will be very very grateful. I will tell you once i put pfx file in browser.
