Hi All, Is there any deployment guide using client authentication require. whenever i try to change the Client Certificate option to require, it doesn't work but if change to auto,request and none, we have no issues. Thanks! Ferdz

BTW request is as good as none really (unless you're doing certificate checks in an iRule) Do you get any logs in the LTM log to give you any clues? I'd try the following Sols from f5: Overview of SSL Profile Troubleshooting Client Certificate Authentication In a nutshell have you got the "Trusted Certificate Authorities" section in the SSL profile set? If it's a self signed cert it may not reference a CA so you might just need to reference the certificate itself here. Also, presumably you have a client CA in the Personal folder? Do you get prompted to choose a certificate to use for authentication? Rgds N

Hi nathan, I don't get any logs from f5 related to the certificates, also i used same certificate to the "Trusted Certificates Authorities". i always get ssl error on the web page if it is require. Thanks! Ferdz

do you get a prompt to select a certificate at all on the client? does the client have the certificate installed into their certificate store? which browser are you using? Does it make any difference between IE or Firefox, for example? I'd look to enable debugging then or perhaps try a tcpdump/ssldump to see if this gives you anymore clues.

I had already installed the certificate in both browsers, IE and Firefox, on my IE, page cannot be displayed is the result, on firefox, unauthorized certificate and when i click continue, it says ssl error, can you give me the steps in creating self signed certificate, and client ssl profile configuration?

How to deploy client authentication(require) using F5's self-signed certificate

39 Replies

Rafa_Ayala
Nimbostratus
May 29, 2015
use the solution : SOL14499

[root@asm03:Active:Standalone] exampleCA ls client1.crt client1.key client1.p12 client1.pem client1.req clientCA.crt clientCA.key clientCA.p12 clientCA.pem client2.crt

convert client key/cert pair to PKCS12 and send costumer the certificate: client1.p12

set in my ASM trusted certificate Autorities with the certificate : clientCA.crt

set in the profile ssl configuration :

wifi_host_test1 = client2.crt(self signed by my CA "clientCA-cert) <<<<<

Thank You
- dragonflymr
  Cirrostratus
  May 29, 2015
  I assume that it started to work? I really missed "using F5's self-signed certificate" part of this post subject :-( I doubt it's possible to use self-signed cert as client cert - it breaks logic of certificate based authentication. Piotr
Rafa_Ayala_1738
Nimbostratus
May 29, 2015
use the solution : SOL14499

[root@asm03:Active:Standalone] exampleCA ls client1.crt client1.key client1.p12 client1.pem client1.req clientCA.crt clientCA.key clientCA.p12 clientCA.pem client2.crt

convert client key/cert pair to PKCS12 and send costumer the certificate: client1.p12

set in my ASM trusted certificate Autorities with the certificate : clientCA.crt

set in the profile ssl configuration :

wifi_host_test1 = client2.crt(self signed by my CA "clientCA-cert) <<<<<

Thank You
- dragonflymr
  Cirrostratus
  May 29, 2015
  I assume that it started to work? I really missed "using F5's self-signed certificate" part of this post subject :-( I doubt it's possible to use self-signed cert as client cert - it breaks logic of certificate based authentication. Piotr
Rafa_Ayala
Nimbostratus
May 29, 2015
Not work :(

All certificates are signed by my CA.

client1.p12 signed by my CA (f5) and send costumer /install in desktop

clientCA.crt is my CA (F5)

client2.crt is my webserver cert

my TMOS version : 11.5.1 HF8
dragonflymr
Cirrostratus
May 29, 2015
It sad to hear that. I have no idea what could be wrong here. I followed referenced SOL and my lab system started to work without any issue. Will dig in my notes and try to post troubleshooting steps that can be used - but on Monday, right now here in Europe weekend begins - time to trow away work stuff and do some partying :-)

Piotr
nitass
Employee
May 31, 2015
All certificates are signed by my CA.

client1.p12 signed by my CA (f5) and send costumer /install in desktop

clientCA.crt is my CA (F5)

how did you create client1 certificate (i.e. how did you sign client1 certificate)?
Rafa_Ayala
Nimbostratus
Jun 01, 2015
Hello nitass

I followed the step : Creating and signing a client certificate in the solution :SOL14499

Thank you
Rafa_Ayala
Nimbostratus
Jun 01, 2015
The problem is solved, I had a problem with the common name :)

My new error is :

Verify return code: 20 (unable to get local issuer certificate)

My web Server certificate is signed by verisign and my (authentication certificate ) is signed by my local CA
nitass
Employee
Jun 01, 2015
Verify return code: 20 (unable to get local issuer certificate)

is Verisign root ca certificate in client's ca certificate store?
Rafa_Ayala_1738
Nimbostratus
Jun 09, 2015
Yes nittas the customer has a certificate installed , the cert verisign are default in the web browser

thank you
- nitass
  Employee
  Jun 10, 2015
  wasn't the unable to get local issuer certificate error from openssl command? was Verisign root ca certificate in openssl ca certificate store?
Rafa_Ayala
Nimbostratus
Jun 09, 2015
Yes nittas the customer has a certificate installed , the cert verisign are default in the web browser

thank you
- nitass
  Employee
  Jun 10, 2015
  wasn't the unable to get local issuer certificate error from openssl command? was Verisign root ca certificate in openssl ca certificate store?