Client Certificate Authentication

Question

I have attempted to get the APM Client Certificate Authentication as well as the iRule Based Client Certificate Authentication to function how I believe it should.&nbsp;
Everything works on the authentication aspect from a Client perspective however I have one issue.&nbsp;
When I go to a site I have configured an APM or iRule configured client certificate based authentication I get a pop up asking the user to select one of the certificates that is on the users machine. Of course it works when I select the proper certificate. &nbsp;
Is there any way to not ask the user for a cert or eliminate this action entirely? Passively determine what certificate is on the user machine? I have tried this in both Chrome and IE and I get the same result. &nbsp;

nicolas_destor · Answer

In my point of view this issue can be solved only on client-side. Most browsers support automatic certificate submission via policy or extension in order to remove the certifcate prompts.&nbsp;
For Chrome you can find more information regarding policy management here:
https://support.google.com/chrome/a/answer/187202&nbsp;

youssef1 · Answer

Hi,&nbsp;
Nicolas is right, if you set correctly your ssl client profile.&nbsp;
In particular "Advertised Certificate Authorities" you must not have this behavior. unless you have several certificates signed by the same CA on clientside...&nbsp;
If you have only one cert installed on client side and you set  "Advertised Certificate Authorities" with right CA it will be transparent for IE and Chrome (but I noticed that safari asked to select the certificate despite the fact that there was only one)...&nbsp;
Regards&nbsp;

the-messenger · Answer

I've been working on this solution as well.  I have client cert inspection working in APM, with cert auth configured in an SSL profile.  This works as expected with ActiveSync and the iOS mail client but with any browser I try on a mobile device, a prompt/selection of the cert is required.  If the browser doesn't prompt, or the user doesn't select it access fails.  youssef, what is required to make this transparent?

Forum Discussion

Client Certificate Authentication

Recent Discussions

ASM Export JSON - size Limit ?

Can i apply ddos profile on virtual server using port range

I used the wrong email account when take Application Delivery Exam (101)

F5 iControl REST API - viewBy Parameter Issue in Analytics Report

'F5 rules for AWS WAF' ruleset not working for jsp web shell attack

Related Content

BIG-IQ Client Certificate (PKI) Authentication

Client Authentication with certificate on one URI only

APM Clientless certificate authentication

Selective Client Cert Authentication

Help F5 Transform the BIG-IP Administrator Certification

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS