F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

action_-'s avatar
action_-
Icon for Altostratus rankAltostratus
Jun 13, 2019

Client cert auth, more than advertised CA filtering?

We currently use client cert auth using smart cards at my organization. There is a push to move from one CA's certificates to another CA's certificates. There are 3 certificates on each smart card, o...
application delivery
BIG-IP Access Policy Manager (APM)
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jun 18, 2019

Quick answer is no, but also that's it's not something that the F5 can control anyway. A server can hint to the client on which certs it can select from, which is what the Advertised list does, but ultimately it's up to the client to perform said filter, and per the RFC it's only based on issuer information.

 

Might I inquire, the CA that issues two of the certs on the smart card, are they both identity certs (keyUsage contains "Client Authentication"), or is one of these an (email) encryption certificate?

action_-'s avatar
action_-
Icon for Altostratus rankAltostratus
Jun 18, 2019

They are both "identity certs", the old cert has a Key usage of Digital Signature, Non-Repudiation and no Enhanced Key usage.

The new cert that has been mandated for authentication is Digital Signature with Enhanced Key usage of Smart Card Login, Client Authentication.

 

There has been a mandate for web application owners to only be able to authenticate using this new certificate by early next year, and in some of the documentation it can be construed that you cannot allow the other certificates that have been issued by the same CAs.

 

And of course with the contact info that they give you, no one responds.