clientssl profile with ECC certificate needs RSA Certificate

Question

Hello guys,&nbsp;
Hope you could support me in the following matther.&nbsp;
I have already purchased an ECC wildcard certificate and I wanted to attach it to a virtual server in my BIG IP 4200 LTM box which is running version 12.1.2.&nbsp;
Everything went well until I got an error when creating a SSL client profile. It said "010717e3:3: Client SSL profile must have RSA certificate/key pair.", so I investigated and found that it is needed to have a RSA certificate/key in the profile besides the ECC pair. Therefore, I have the following questions about it:&nbsp;
Do I need to generate two certificates (one ECC and other RSA) with the same FQDN on them? Is it possible? I am using Entrust to generate my certificates. &nbsp;
How could I figure out which one certificate the BIG IP is showing to the client? How does the BIG IP select which certificate to show?&nbsp;
Is there any possibility to make the BIG IP allows the creation of an SSL profile which uses an ECC certificate/key? In future releases perhaps?&nbsp;
I have performed a couple of tests and it seems like the BIG IP is always showing the RSA certificate.&nbsp;
Thanks in advance for your help.&nbsp;
Best regards&nbsp;

masterdead · Answer

Try to allow ECDHE_ECDSA cipher for SSL profile.&nbsp;

kevin_k_51432 · Answer

Greetings,
It looks like at least one RSA cert &amp; key is required. You could try preferring ECC, instead of only using (as above) with:&nbsp;
ECDH_ECDSA:DEFAULT&nbsp;
I would assume BIG-IP bases which cert / key to use based on the client's preference in the initial handshake.&nbsp;
Kevin&nbsp;

arpydays · Answer

Hi,&nbsp;
yes you do need both certs, ask your cert provider whether the RSA cert you have purchased has the option for ECC as well and get them to generate one otherwise you may need to buy a cert product that supports RSA &amp; ECC and get both certs, at least this is what I did when configuring it. If you only want to allow ECC with clients then restrict the ciphers as stated by masterdead, cheers&nbsp;

jmanya_44531 · Answer

Hi Kevin, thanks a lot for your answer.&nbsp;
You said "I would assume BIG-IP bases which cert / key to use based on the client's preference in the initial handshake." Since RSA has been widely used in the industry, it is supposed that the client's preference will be to use the RSA certificate instead of the ECC one. So, how could I force the usage of the ECC no matter the preferences of the browser. I have tried installing the ECC in a Apache and it works fine, but LTM needs an RSA+ECC which makes my deployment more difficult.&nbsp;
Thanks in advance. &nbsp;
Regards&nbsp;
Jorge&nbsp;

kevin_k_51432 · Answer

Hi Jorge,
The server chooses the cipher suite. So if the client prefers RSA, but supports ECC, BIG-IP will still choose the ECC certificate based on:&nbsp;
ECDH_ECDSA:DEFAULT&nbsp;
Kevin &nbsp;

Forum Discussion

clientssl profile with ECC certificate needs RSA Certificate

Recent Discussions

Which process is consuming higher CPU

F5 Health Monitor Receive String as JSON

Background Tasks

SSL bridging without SSL proxy forward

Big-IP VE edition for MacBook M4 Chip

Related Content

Automating ACMEv2 Certificate Management on BIG-IP

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP

Automating NGINX Certificate Rotation on AWS

My Security+ Certification Journey

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS