Forum Discussion

Jean_Mamène's avatar
Jean_Mamène
Icon for Cirrus rankCirrus
Jun 26, 2023

double authentication with check CN serial number and certificate authority

Hello, We have version 16 of BIG-IP LTM. We have a virtual server on which several urls of the same domain are defined and which sends requests to the same pool of servers. On this virtual server a...
security
CA_Valli's avatar
CA_Valli
Icon for MVP rankMVP
Jun 27, 2023

Hello Jean_Mamène ,

It should be possible to have this work on the same VIP, theorically.
To configure client authentication, You need to build a clientSSL profile and configure it for the specific SNI "url4.example.com", and enable client authentication with "require" setting on this same profile. You should import the trusted CA that singed this certificate on BIG-IP
https://my.f5.com/manage/s/article/K13452
https://my.f5.com/manage/s/article/K12140946

Next step is verifying client-certificate informations (SN, etc.) at authentication time. This can be achieved via iRule.
You can get ideas from this code here, and tune it to check/match the requirements of your deployment. 
https://clouddocs.f5.com/api/irules/ClientCertificateCNChecking.html