CLIENT CERT INSPECTION ROLE

Aashutosh,

> what is the importance of Trusted Certificate Authorities ?

> what is the importance of Advertised Certificate Authorities ?

Instead of me writing out whats already available in the GUI, go to your clientssl profile and open it so you can see its configuration options. Now under the F5 logo at the top left where is says Main. Select Help next to it. Then scroll down. If it's easier, use the Launch button to popout a seperate window. In there you will find detailed explanations for each setting. This is basically the product manual built into the F5 device.

> what certificate and what part of that certificate is being validated by CLIENT CERT INSPECTION? how?

All certificates are issued by a CA or certificate authority. Essentially in the SSL profile under client authentication you specify what CA. You do this by providing the actual CA certificate. The F5 will prompt for a client certificate, when the client provides this it will check it was issued by that CA.

Now if you set the authentication to require in the authentication section of the SSL profile it will not allow the connection to be established if the certificate does not match. This is not ideal when you later want to make a decision in the APM policy. So usually when using APM you would set this to request. Then when the APM policy starts you can decide what you want to do with the Client cert inspection in your policy.

This object simply reflects the outcome of the client certificate check way back when the connection was started and SSL was being negotiated. This allows you to make decisions on whether they can proceed, or not. There may be a type of client that does not support client certificate auth. So you can make that decision prior to client cert inspection and only use this for client types that support it.