Forum Discussion
Client Certificate Constrained Delegation
I am trying to configure "client certificate constrained delegation" new in 13.1.x.x. This is used for 2 way SSL authentication. I am trying to add a subordinate CA certificate and key to the serverssl profile but continue to get the error "client certificate constrained delegation key is missing."
Has anyone worked with this new feature as yet or may know what is causing this error?
Thanks.
- Mike_MaherNimbostratus
I am also having this issue. Did you ever figure out how to make it work?
- Stanislas_Piro2Cumulonimbus
Hi,
There is a weird requirement when configuring C3D!!!
You must configure a client certificate and key AND certificate authority certificate and key
- Kevin_StewartEmployee
Here's what you do:
Prerequisites
- Create a CA bundle - this is used to validate the client certificate
- Import server cert and key - this is the typical reverse proxy server certificate
- Import CA cert and key - this is the CA that forges the client certificate
Client SSL Profile
-
Configuration section
- Import server cert and key (and optionally a CA chain)
-
Client Authentication section
- Client Authentication: request or require
- Trusted Certificate Authorities: attach the CA bundle
- Advertised Certificate Authorities: optionally attach a CA bundle
-
Client Certificate Constrained Delegation section
- Client Certificate Constrained Delegation: enabled
- OCSP: optional
- Unknown OCSP response control: optional
Server SSL profile
-
Configuration section
- Certificate: required (can be default)
- Key: required (can be default)
- Chain: required if signing with a subordinate CA
-
Client Certificate Constrained Delegation section
- Client Certificate Constrained Delegation: enabled
- CA certificate: signing CA cert
- CA key: signing CA key
- CA passphrase: optional
- Certificate lifespan: set preferred time (certs are not cached)
- Certificate extensions: set extensions to copy from original cert
- Custom extension: optional (any client cert OIDs to copy)
The certificate that you insert into the server SSL profile is used as a template for the forged client cert. The private key is used to generate the CSR for the forged client cert.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com