For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

12 Replies

  • soymanue's avatar
    soymanue
    Icon for Nimbostratus rankNimbostratus
    Oct 24, 2012
    Fine, how would the certificate authentication work on APM with Internal CA?
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 24, 2012
    I'm afraid I'm not too familiar with APM. Regardless, in general, I assume it would work however it works with any CA. You just need to use OpenSSL to generate the appropriate certificates and then configure APM as you would for a public CA but use your internal one. Sorry if that's not too useful; hopefully someone else can respond in more detail.
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Oct 24, 2012
    Manuel,

     

     

    It's not really practical to use BIG-IP as the CA unless you're talking about just a few certs. What scale are you talking about?
  • Michael_Koyfma1's avatar
    Michael_Koyfma1
    Icon for Cirrus rankCirrus
    Oct 24, 2012

    But if you chose to have BIG-IP issue certs, then checking their validity in APM is easy, since you have the CA - although you will lack the ability to revoke certs - there are no CRLDP or OCSP responders on the BIG-IP.

     

  • soymanue's avatar
    soymanue
    Icon for Nimbostratus rankNimbostratus
    Oct 24, 2012
    We're talking about a couple of hundred certificates. Now we are using an external CA (Windows 2003). The problem is that APM does not support Machine Certificates. Issuing user certificates with Microsoft CA is quite complicated. The own user must connect to the website, fill the form, and connect later to download the certificate. Then, he must send the certificate to his own email accout in order to install it on his iPhone/iPad. It the user is the company's CEO, it doesn't look the best way to do it.

     

    We also have CheckPoint FW-1, which has Remote Access and can issue self-signed certificates that are quite easier to generate.
  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Oct 24, 2012
    Posted By Manuel on 10/24/2012 10:12 AM

     

    We're talking about a couple of hundred certificates. Now we are using an external CA (Windows 2003). The problem is that APM does not support Machine Certificates. Issuing user certificates with Microsoft CA is quite complicated. The own user must connect to the website, fill the form, and connect later to download the certificate. Then, he must send the certificate to his own email accout in order to install it on his iPhone/iPad. It the user is the company's CEO, it doesn't look the best way to do it.

     

    We also have CheckPoint FW-1, which has Remote Access and can issue self-signed certificates that are quite easier to generate.

     

    It doesn't matter if it's one or a hundred. It's not really a good solution. In addition, self-signed certificates are a really bad idea for a security check. What would be the purpose of the check if anyone can generate the certificate?

     

  • soymanue's avatar
    soymanue
    Icon for Nimbostratus rankNimbostratus
    Oct 29, 2012
    Ok

     

    I'ill leave the internal certificate authentication.

     

    Is it possible to use a public certificate (Verisign) for the virtual server but authenticate with our internal Microsoft Windows CA?

     

    Where can I find advanced information regarding On Demand Certificate Authentication ? I don't know what is the meaning of the different return values for ondemand_cert_auth_ag return values.
  • soymanue's avatar
    soymanue
    Icon for Nimbostratus rankNimbostratus
    Feb 06, 2013
    Hi

     

    I discarded the idea and finally we use Corporate Microsoft CA.

     

    It would be great if F5 ever decides to support Machine Certificate authentication for Edge Client