Forum Discussion
soymanue
Nimbostratus
NimbostratusEdge Client Internal Certificate Authentication
Hello
Is it possible to make the BIG-IP work as an Internal CA to issue user certificates that we would use for user authentication with APM and Edge client?
12 Replies
What_Lies_Bene1Cirrostratus
You've got the OpenSSL suite at your disposal so I don't see why not.
soymanueFine, how would the certificate authentication work on APM with Internal CA?- What_Lies_Bene1I'm afraid I'm not too familiar with APM. Regardless, in general, I assume it would work however it works with any CA. You just need to use OpenSSL to generate the appropriate certificates and then configure APM as you would for a public CA but use your internal one. Sorry if that's not too useful; hopefully someone else can respond in more detail.
Michael_Koyfma1Cirrus
Manuel,
It's not really practical to use BIG-IP as the CA unless you're talking about just a few certs. What scale are you talking about?- Michael_Koyfma1
But if you chose to have BIG-IP issue certs, then checking their validity in APM is easy, since you have the CA - although you will lack the ability to revoke certs - there are no CRLDP or OCSP responders on the BIG-IP.
- soymanueWe're talking about a couple of hundred certificates. Now we are using an external CA (Windows 2003). The problem is that APM does not support Machine Certificates. Issuing user certificates with Microsoft CA is quite complicated. The own user must connect to the website, fill the form, and connect later to download the certificate. Then, he must send the certificate to his own email accout in order to install it on his iPhone/iPad. It the user is the company's CEO, it doesn't look the best way to do it.
We also have CheckPoint FW-1, which has Remote Access and can issue self-signed certificates that are quite easier to generate. 
Mike_61719Posted By Manuel on 10/24/2012 10:12 AM
We're talking about a couple of hundred certificates. Now we are using an external CA (Windows 2003). The problem is that APM does not support Machine Certificates. Issuing user certificates with Microsoft CA is quite complicated. The own user must connect to the website, fill the form, and connect later to download the certificate. Then, he must send the certificate to his own email accout in order to install it on his iPhone/iPad. It the user is the company's CEO, it doesn't look the best way to do it.
We also have CheckPoint FW-1, which has Remote Access and can issue self-signed certificates that are quite easier to generate.
It doesn't matter if it's one or a hundred. It's not really a good solution. In addition, self-signed certificates are a really bad idea for a security check. What would be the purpose of the check if anyone can generate the certificate?- soymanueOk
I'ill leave the internal certificate authentication.
Is it possible to use a public certificate (Verisign) for the virtual server but authenticate with our internal Microsoft Windows CA?
Where can I find advanced information regarding On Demand Certificate Authentication ? I don't know what is the meaning of the different return values for ondemand_cert_auth_ag return values. - liangwei_118810
how to download?
- soymanueHi
I discarded the idea and finally we use Corporate Microsoft CA.
It would be great if F5 ever decides to support Machine Certificate authentication for Edge Client
