external client authetication certificate

Question

hello team&nbsp;
Can we use external client authentication certificate, if so is there any security issue?&nbsp;

kevin_stewart · Answer

Are you talking about using a client certificate to authenticate to an application?&nbsp;

kevin_stewart · Answer

Still not completely clear. In the context of a full proxy system like F5, there are essentially four ways that "authentication" can happen:&nbsp;

Client authentication to the F5 front-end - this could simply be presenting a client certificate to the F5 VIP, or performing full APM-based client side authentication&nbsp;

F5 (acting as the client) authentication to the backend server - this is usually performed by APM doing SSO to an application&nbsp;

Client passing credentials through the proxy - the simplest form. If, however, that authentication is client certificate, then the F5 cannot terminate and re-encrypt the SSL channel, and otherwise perform any intelligent functions at layer 7

Or some combination of the first two&nbsp;

I believe you're talking about client certificate authentication, where the client presents a certificate as part of an SSL handshake. This can obviously be done between the client and the F5 (option 1 above), and directly through the F5 (option 3 - without terminating the SSL). If you terminate the SSL and consume the client cert (option 1), you can perform some other form of server side authentication (option 2) based on attributes of that client certificate, but not the client cert itself.&nbsp;
You also asked about security concerns. That depends entirely on a few different things. For instance, are you trying to perform client certificate authentication to the F5? Are the clients using hardware certificate tokens (smart cards) or software-based certificates? What type of authentication is required at the backend servers?&nbsp;

mikegray_198028 · Answer

&nbsp;
We are using the below option and now bundled with our internal ca. the problem here this will allow all users who has the certificate from the same CA, so i am trying to limit this &nbsp;

kevin_stewart · Answer

Limit how?&nbsp;

kevin_stewart · Answer

Ah, I see. Well, as Josiah answered in your other post (https://devcentral.f5.com/questions/client-authentication-user-authentication-certificates?, once consumed the BIG-IP will have access to all of the X509 data from the certificate. The CA bundle provides a trust mechanism to complete the SSL handshake. You then need to provide a mechanism to validate the contents of the certificate. Take a look at the X509 section in the wiki for some ideas on how to handle this in iRules.&nbsp;
https://devcentral.f5.com/wiki/iRules.X509.ashx&nbsp;

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

external client authetication certificate

5 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

can't access on prem dns when using F5LTM as a gateway

Issue with TLS Version 1.1 Deprecated Protocol

Service discovery is not happening in AS3

Load balanced RDP VIP use in APM

Deleting an AS3 Tenant

Related Content

Automating Certificate Management on F5 BIG-IP

Mutual authetication from imperva to F5

Certificate Automation for BIG-IP using CyberArk Certificate Manager, Self-Hosted

Automating ACMEv2 Certificate Management on BIG-IP

Automate Let's Encrypt Certificates on BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS