Forum Discussion

tub91's avatar
Icon for Cirrus rankCirrus
Oct 22, 2022

Client Certificate authentication clarifications


I need some clarification regarding client authentication via certificate.

We have to make access, on our website, only one of our clients to a specific URI via certificate, while all the other customers will continue to access all the other URIs without any certificate.

The first starting point is in the SSL client profile where we should set the Client Authentication in "REQUEST" in order to terminate the handshake even if the certificate is not correct or no certificate is sent by the client.

Our goal is that F5, when sending the Certificate Request packet, asks the client for a specific certificate and not the possibility to send any certificate.

To do this we have to configure, in the SSL profile client, the Advertised Certificate Authority with the CA that generated the certificate we are expecting? It's correct?

With this setting, the Distinguished Names relating to the certificate is then populated in the Certificate Request package and will the browser only propose the sending of this specific certificate and not other certificates?

Reading this article we seem to have understood this scenario but I would like to ask you for confirmation too:

Subsequently, through an iRule we will discriminate access to the single URI that requires the certificate.

Do you see any issues in this implementation? It has not yet been tested in our environment.

I hope our doubt is clear, in case it is not clear I will try to explain myself better