Forum Discussion
NimbostratusDesired Outcome - OCSP Prompt displays E-Mail Cert Only
I have a situation where my physical device carries three client certs: 1 that contains persona information, 1 that contains email information, and 1 that contains general information. Each Client cert is issued by a separate CA. CA 1. is MyID-20, CA2. is MyEMAIL-14, and CA3 is MyInfo-30.. I have built a CA Bundle and typically used it in my OCSP Responder configuration. I have a client SSL cert associate with my F5 LTM Virtual Server, where I have the hostname for that URL included the cert I present as well as the CA I have identified. This solution works fine, but the client is presented with an option to select which of the 3 client certs to use when authenticating against my application. I would like to force the client to present only the MyEMAIL-14 (chain) cert, so I need to limit their options. I thought I could do this from the serverside by building a new bundle of just the E-Mail certs, and applying it to the OCSP responder/auth profile associated with the Virtual. Now I am second guessing (haven't tried this in a lab yet). Has anyone faced this and/or have ideas on how to accomplish this?
THanks,
gpoverlandTHink I figured this one out.. https://devcentral.f5.com/articles/ssl-profiles-part-8-client-authentication CA Advertised should include a new CA Bundle with only the email CAs listed..