For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

action_-'s avatar
action_-
Icon for Altostratus rankAltostratus
Jun 14, 2019

Client cert auth, more than advertised CA filtering?

We currently use client cert auth using smart cards at my organization. There is a push to move from one CA's certificates to another CA's certificates. There are 3 certificates on each smart card, o...
application delivery
BIG-IP Access Policy Manager (APM)
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jun 18, 2019

Quick answer is no, but also that's it's not something that the F5 can control anyway. A server can hint to the client on which certs it can select from, which is what the Advertised list does, but ultimately it's up to the client to perform said filter, and per the RFC it's only based on issuer information.

 

Might I inquire, the CA that issues two of the certs on the smart card, are they both identity certs (keyUsage contains "Client Authentication"), or is one of these an (email) encryption certificate?

action_-'s avatar
action_-
Icon for Altostratus rankAltostratus
Jun 18, 2019

They are both "identity certs", the old cert has a Key usage of Digital Signature, Non-Repudiation and no Enhanced Key usage.

The new cert that has been mandated for authentication is Digital Signature with Enhanced Key usage of Smart Card Login, Client Authentication.

 

There has been a mandate for web application owners to only be able to authenticate using this new certificate by early next year, and in some of the documentation it can be construed that you cannot allow the other certificates that have been issued by the same CAs.

 

And of course with the contact info that they give you, no one responds.