Forum Discussion

stupid48's avatar
stupid48
Icon for Altocumulus rankAltocumulus
Feb 02, 2019

Client cert authentication is not working - "application verification failure"

So my organization has it's own RootCA and subordinate authority. I tried adding a certificate bundle by taking the base-64 encoding from the RootCA and the subordinate authority and pasting them both as a bundle. I assigned the bundle to a Client SSL profile for both the Trusted Certificate Authorities and the Advertised Certificate Authorities.

 

The workstation I'm testing with has an Active Directory assigned "Client Authentication" certificate that is basically the computer name (fully qualified) and is issued by the subordinate authority. When I try browsing the website in Chrome, it reports:

 

eddiapp.domain.com didn’t accept your login certificate, or one may not have been provided. Try contacting the system admin. ERR_BAD_SSL_CLIENT_AUTH_CERT

 

LTM (12.1.2) reports Connection error: ssl_shim_vfycerterr:4530: application verification failure (46)

 

I'm assuming the client is not presenting the cert. I added an iRule to check and it appears to be the case.

 

I created a CA pem file via SSH with both CA's in it and also copied the client cert over as well and ran this:

 

openssl verify -CAfile ca.pem ITD-35147.pem ITD-35147.pem: OK

 

I'm not sure what I'm missing. Can anybody shed some light?

 

Thanks, Chris

 

  • Can you share your clientssl profile settings, for client certificate authentication to work, the peer-cert-mode property has to be changed to Require. The default property is ignore.

     

  • I resolved this. The client authentication certificate on the machine was not being passed. Looking at certificates in Chrome, the cert that was being pushed to the client via Active Directory was showing up in the "Other People" tab which apparently means that the browser thinks it's not installed correctly or it's invalid. We did a manual request and that one is appearing in the "Personal" tab and that one works now. I need to investigate the behavior but at least it's working.