Forum Discussion
Tony_Augustine_
Nimbostratus
NimbostratusHow to configure BIG-IP to accept client certs from multiple CAs to the same VS
I have a Client SSL Profile set up for terminating 2 Way SSL at BIG-IP. However it is currently set up to only accept client certificates issued by a particular CA. Can I and if so how to configure the SSL Profile to accept client certificates issued by more than one CA.
I think client "cert ca property" of an SSL Client Profile is used to set up this. However looks like I can specifiy only one CA cert in that.
Any help would be appreciated.
strongarm_46960impossible, since it would mean associating multiple profiles to a VIP.
hoolioCirrostratus
I think you can concatenate multiple CA certificates in a bundle and configure the client SSL profile to use the cert bundle as the trusted client CA's option. Here is a snippet from the 9.3 config guide:
https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_3config/BIG_IP_LTM_9_3_Config_Guide-10-1.html
Specifying trusted client CAs
For client-side SSL processing, you can configure an SSL profile to verify certificates presented by a client or a server. Using the Trusted Certificate Authorities setting, you can specify a client trusted CAs file name, which the BIG-IP system then uses to verify client or server certificates. If you do not configure a trusted CAs file, the profile uses a default file.
The trusted CAs file that you specify for certificate verification contains one or more certificates, in Privacy Enhanced Mail (PEM) format. Built manually, this file contains a list of the client or server certificates that the SSL profile will trust. If you do not specify a trusted CAs file, or the specified trusted CAs file is not accessible to the BIG-IP system, the system uses the default file name.
You'll probably want to configure the same cert bundle in the 'Advertised Certificate Authorities' section as well.
Aaron- strongarm_46960As usual, Aaron is completely right, I have done this many times, you just have to copy the contents including the ===beginning=== and ===end== of each cert and past it into a single file then associate that within your profile (SSL Profile (Client)).
I initially thought you wanted to support multiple sites with a single virtual. 
Tony_Augustine_Aaron
Thanks a lot. I had some trouble copying & pasting the certs into a single file. Are there any other tools/ways to create a cert bundle
Tony- hoolioAre you having problems with Windows line terminators being different from Linux? Windows using CR and LF while *nix uses LF.
If you are familiar with vi or pico you could do this on the BIG-IP command line. Else, you could use a Windows text editor that supports *nix line feeds. Notepad++ (Click here) is opensource and should work.
Or you can remove the carriage returns from the Windows file using sed:
sed 's/^M$//' input.txt > output.txt
Aaron - strongarm_46960... do
cat servercert1.pem1 servercert2.pem... >> certBundle.crt
or
cat servercert* >> certBundle.crt 
SteveMPI know this is an old thread, but hoping maybe someone can chime in. I am attempting to get this working on Version 10.2.1. I was able to create the cert bundle and the key bundle, and a new profile using these bundles. I dont see any errors anywhere. But when I access the site from a browser, it seems that the browser only sees the first cert that I imported into the bundle. Is there anything else I need to do to get it show both?
Thanks.
Steve- Kevin_Stewart
Employee
You can't specify multiple server certificates this way. So just that we're clear, this thread is about accepting client certificates from multiple CAs. That's accomplished by adding all of the CA public certificates to a text file and applying that to the Trusted Certificate Authorities drop down of the client SSL profile. You can optionally use this "bundle" in the Advertised Certificate Authorities drop down, or tailor it so that only specific certificate choices are shown in the client browser.
To allow a virtual server to present multiple server certificates, as I assume you're attempting, you have a few choices:
1. Wildcard or SAN certificates - certificates that allow for multiple FQDNs (usually very expensive)
2. TLS SNI, or "Server Name Indicator" - an extension to the TLS profile that allows the BIG-IP to "switch" between server certificates based on the hostname the browser is asking for. In version 10 this can be accomplished with an iRule:
https://devcentral.f5.com/tutorials/tech-tips/multiple-certs-one-vip-tls-server-name-indication-via-irules
In version 11 it's incorporated into the SSL profile.
