Forum Discussion
lukmanulhakim093
Nimbostratus
NimbostratusHow to allow client certificate authentication in F5?
Hi there,
We have an application in the backend that only allow client access with private key, so that only client with private key can access the application. The application generates keypair where public key (crt) holds by application and private key (p12) hold by client in order to authenticate client and server.
In order to make this works, how to allow this client-server authenticated each other through F5? Any article/complete step for this use case? or which certificate should be applied in F5?
Thank you.
Best regards,
Lukmanul H
lukmanulhakim093When I run the command "openssl s_client -connect <IP>:<PORT> -showcerts" from client side, I cannot see "Acceptable client certificate CA names" accepted by the F5, do we need to create a client profile set to request or required? and do we need to create a server profile also set to request or required?
If the BIG-IP does not need to do any processing above L4 (cookies, HTTP header inspection etc), I would just create a Performance (FastL4) virtual server.
- lukmanulhakim093
Thank you for your reply.
Based on the following article, we can import client certificate into HTTP header within iRules in F5.
Insert Client Certificate in HTTP header and forward to the node (f5.com)
Is it applicable if we use this mechanism on two-way/mutual authentication?
Thank you.
ragunath154Cirrostratus
Checkout the below article to implement the Proxy SSL feature in LTM where client will be directly authenticated with backend servers
https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-11-5-0/13.html
Bear in mind Proxy SSL only works with RSA key exchange (and not Diffie Hellman)
- lukmanulhakim093
Hi ragunath154 ,
Can we use the following mechanism from the article below?
Insert Client Certificate in HTTP header and forward to the node (f5.com)
Thank you.
