Forum Discussion
MoredhelAus_361
Nimbostratus
NimbostratusClient Certificate Inspection on SSL VPN
I have a request to set up an SSL VPN on the F5 which requires that only devices with machine certificates are allowed to connect.
I have set up the VPN and it works fine without certificate inspection, however I cannot get it to work with certificate inspection. I believe this is partially because I have set up an SSL certificate to allow the end user device to connect to the F5 using a DigiCert certificate so that tehy don't get a certificate error. This means that I then cannot associate another profile to the Virtual Server to check the internal CA against the machine certificate. The VPE does not seem to allow you to define what certificate authority to trust etc it just needs to be in the Virtual Server SSL client profile from all of my reading.
Please help!
MoredhelAus_361OK thanks, that is kind of what I was suspecting. Looks like I must have an issue with my local Issuing CA server certificate and key then.
Leonardo_SouzaCirrocumulus
You can do that with Machine Cert Auth.
See this solution:
https://support.f5.com/csp/article/K13614
I_R_101_110Cirrus
As you hinted, it's all in the one client ssl profile.
The option to specify the trusted ca for the client cert is in the client ssl profile under Client Authentication->Trusted Certificate Authorities. This is done in the same client ssl profile that you're serving the DigiCert certificate with. There is no need to associate another client ssl profile with the virtual server.