How to allow client certificate authentication in F5?

Question

Hi there,&nbsp;We have an application in the backend that only allow client access with private key, so that only client with private key can access the application. The application generates keypair where public key (crt) holds by application and private key (p12) hold by client in order to authenticate client and server.&nbsp;In order to make this works, how to allow this client-server authenticated each other through F5? Any article/complete step for this use case? or which certificate should be applied in F5?&nbsp;Thank you.&nbsp;Best regards,Lukmanul H&nbsp;

lukmanulhakim093 · Answer

When I run the command "openssl s_client -connect &lt;IP&gt;:&lt;PORT&gt; -showcerts" from client side, I cannot see "Acceptable client certificate CA names" accepted by the F5, do we need to create a client profile set to request or required? and do we need to create a server profile also set to request or required?

michael_saleem · Answer

If the BIG-IP does not need to do any processing above L4 (cookies, HTTP header inspection etc), I would just create a Performance (FastL4) virtual server.

ragunath154 · Answer

Checkout the below article to implement the Proxy SSL feature in LTM where client will be directly authenticated with backend servers

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-11-5-0/13.html

michael_saleem · Answer

Bear in mind Proxy SSL only works with RSA key exchange (and not Diffie Hellman)

lukmanulhakim093 · Answer

Hi Michael_Saleem&nbsp;Thank you for your reply.&nbsp;Based on the following article, we can import client certificate into HTTP header within iRules in F5.&nbsp;&nbsp;Insert Client Certificate in HTTP header and forward to the node (f5.com)&nbsp;Is it applicable if we use this mechanism on two-way/mutual authentication?&nbsp;Thank you.

Forum Discussion

How to allow client certificate authentication in F5?

Recent Discussions

Outlook application issue

Why does WAF block HTTP OPTION method

Rewriting Location Header in iRule

HA Configuration (One in primary and One in DR)

Sending a trusted certificate to server

Related Content

Slack Mutual TLS Recipe: Adding X-Client-Certificate-SAN header from client certificate

Provision IOS profile for Exchange ActiveSync with client certificate authentication

Re: Management Certificate

Application Programming Interface (API) Authentication types simplified

SSL client certificate LDAP authenticate before authorizing