Forum Discussion
CirrostratusClient Certificate authentication
Hi,
We have LTM+APM+ASM and we have a requirement, we have one https website published over internet and the backend server is http. We want to do client certificate authentication for this website. The client authentication certificate used would be from symantec and not all clients would connect with certificate, so, i would be using request option in client ssl profile but i am afraid that doing it by client ssl profile would allow any symantec client certificate to connect which we dont want. We want only one specific customer to connect to this website using certificate. I was wondering if there is any solution in APM wherein we want ready CN, serial number or any other parameter of the certificate to allow the communication. Any idea???
Regards
1 Reply
- Kevin_Stewart
Employee
Doing client certificate request in the client SSL profile or doing it in APM with the On-Demand Cert Auth agent are going to provide the same result, with a few minor differences. In any case, you're setting request, which is a "soft fail", meaning that if a certificate error occurs, or if no certificate is presented at all, it'll fail open. This is what you need if some clients won't have a certificate, but it doesn't provide any built-in constraints. For that you'd need an iRule or APM code logic to read some attribute of the certificate and make a decision. If you used an agent in the VPE, you could look at attributes of the incoming client certificate with:
session.ssl.cert.*where * could be any number of attributes. Here's a quick list of some of those attributes: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-visual-policy-editor-11-6-0/5.html?sr=56810247
With this you could read the certificate subject, CN, issuer, validity dates, other attributes, and anything in the extensions field to make an access decision.
