Forum Discussion

MoredhelAus_361's avatar
MoredhelAus_361
Icon for Nimbostratus rankNimbostratus
Jun 27, 2018

Client Certificate Inspection on SSL VPN

I have a request to set up an SSL VPN on the F5 which requires that only devices with machine certificates are allowed to connect.

 

I have set up the VPN and it works fine without certificate inspection, however I cannot get it to work with certificate inspection. I believe this is partially because I have set up an SSL certificate to allow the end user device to connect to the F5 using a DigiCert certificate so that tehy don't get a certificate error. This means that I then cannot associate another profile to the Virtual Server to check the internal CA against the machine certificate. The VPE does not seem to allow you to define what certificate authority to trust etc it just needs to be in the Virtual Server SSL client profile from all of my reading.

 

Please help!

 

  • As you hinted, it's all in the one client ssl profile.

     

    The option to specify the trusted ca for the client cert is in the client ssl profile under Client Authentication->Trusted Certificate Authorities. This is done in the same client ssl profile that you're serving the DigiCert certificate with. There is no need to associate another client ssl profile with the virtual server.

     

  • OK thanks, that is kind of what I was suspecting. Looks like I must have an issue with my local Issuing CA server certificate and key then.