For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

achrich's avatar
achrich
Icon for Nimbostratus rankNimbostratus
Jul 31, 2014

F5 VPN multiple certificate prompt

Hi,

 

We are currently deploying the F5 Edge Gateway vpn solution across our user base. Part of the security is to check the SSL certificate via a internal CA.

 

The issue is all users will have 2 internal certificates installed - once for email and one for verification however they are both allowed to be used for Client Authentication therefore when a user logs in they are asked which certificate to use. Not ideal.

 

When I disable Client Authentication on the email certificate the user can login with no prompt for certificate selection however the CA teams dont want me to do this plus its overhead on the roll out of client.

 

The difference between the certificates is Key Usage - one is set to Key Encipherment and the other Digital Signature.

 

Is it possible via a irule to ensure only the certificate containing a digital signature property is available to be used so the user doesn`t receive the prompt ?

 

I cant see any way of doing this via APM or the Client SSL profile configuration.

 

Any help with appreciated.

 

Thanks

 

BIG IP Edgeway 11.3HF9

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
devops
iRules
LTM
security

4 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 31, 2014

    The SSL/TLS "standards" only define a small subset of certificate_type values, all of which are signing types (rsa_sign, dss_sign, ecdsa_sign, etc.). Even if you could modify the certificate type in the SSL handshake's Certificate Request message, the client would likely ignore it anyway. If the certificates are issued by different authorities, you can specify specific CAs in the Advertised CAs list in the client SSL profile to provide a "root hint" to the client.

     

  • don_23889's avatar
    don_23889
    Icon for Nimbostratus rankNimbostratus
    Apr 16, 2015

    I have a similiar issue, but am failing to understand how to apply to the on_demand policy macro.

     

    The apm end point (vip) is configured with a Verisign certificate + client ssl profile. However, the on_demand certificate authority does not appear to relate to a client ssl profile.

     

    The issue for me, is when remote clients have n+1 "user" identification certificates, and specifically on windows-7. Is there a way to 'inform' the on_demand macro which certificate to use?

     

    • amolari's avatar
      amolari
      Icon for Cirrostratus rankCirrostratus
      Apr 16, 2015
      on-demand will use the certificate (+crl) you define in the client SSL profile (where you should not anymore enable Request / Require)
    • don_23889's avatar
      don_23889
      Icon for Nimbostratus rankNimbostratus
      Jun 15, 2015
      I'm not sure this will work. The certificate in the client SSL profile is for Verisign. The on_demand certificate macro is looking for a user certificate, which happens to be generated from an internal Entrust CA.