For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bylie's avatar
bylie
Icon for Nimbostratus rankNimbostratus
Aug 08, 2019

F5 SSL VPN machine cert check rules

Hi,

 

We're migrating to a new MS PKI and were wondering how the F5 SSL VPN client handles multiple local machine certs. Is there any overview of what the rules are in this case when not using any of the issuer, serial number, ... filtering? For example:

 

  • When 2 valid machine certs are available which one gets picked?
  • When 2 machine certs are available but one is expired does the expired one get picked or will the client ignore it?
BIG-IP
BIG-IP Access Policy Manager (APM)
security
vpn

1 Reply

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Aug 10, 2019

    the second question was a bug, but is solved now:

    https://support.f5.com/csp/article/K56006335

     

    as for which one is picked if both are valid i can't find an answer on. i kinda assume the first the client picks, but on what ground ... ask f5 support is probably most sure way.