How to deploy client authentication(require) using F5's self-signed certificate

Thank you ,

Configure again and these are my results:

Debug SSL :

May 27 13:26:42 asm03 debug tmm1[14565]: 01260006:7: Peer cert verify error: self signed certificate (depth 0; cert /C=MX/ST=DISTRITO FEDERAL/L=CIUDAD DE MEXICO/O=Servicios C.V/OU=Sitemas/CN=wit.com.mx/emailAddress=xxxxxx) May 27 13:26:42 asm03 debug tmm1[14565]: 01260009:7: Connection error: ssl_shim_vfycerterr:3580: self signed certificate (48) May 27 13:26:42 asm03 info tmm1[14565]: 01260013:6: SSL Handshake failed for TCP x.x.x.x:57862 -> x.x.x.x:8120

send costumer the certificates:

remote device:

client1.p12

F5 ASM:

set in: client authentication clientCA.crt and clientCA.key

Well, from trace it looks for me that you are using self-signed certificate as client certificate (one installed in browser). I doubt it will work as only CA is certificate itself (if I can say so). Then there is no way to place any valid CA certificate in Trusted Certificate Authority field.

I did it as described in solution mentioned in my old post:

Using openssl Created private CA (generating key and certificate)

Issue CSR for client certificate

Get it signed by my CA

Then convert client key/cert pair to PKCS12

Import in browser as User certificate for authentication

Select my private CA certificate in Trusted Certificate Authority field (sure imported it first into LTM via System > File Management > SSL Certificate List)

After that everything works like a charm.

Of course if you using some public well known CA for signing client certificate you have to set this CA in Trusted Certificate Authority field (or probably build in ca-bundle will work)

Piotr

use the solution : SOL14499

[root@asm03:Active:Standalone] exampleCA ls client1.crt client1.key client1.p12 client1.pem client1.req clientCA.crt clientCA.key clientCA.p12 clientCA.pem client2.crt

convert client key/cert pair to PKCS12 and send costumer the certificate: client1.p12

set in my ASM trusted certificate Autorities with the certificate : clientCA.crt

set in the profile ssl configuration :

wifi_host_test1 = client2.crt(self signed by my CA "clientCA-cert) <<<<<

Thank You

use the solution : SOL14499

[root@asm03:Active:Standalone] exampleCA ls client1.crt client1.key client1.p12 client1.pem client1.req clientCA.crt clientCA.key clientCA.p12 clientCA.pem client2.crt

convert client key/cert pair to PKCS12 and send costumer the certificate: client1.p12

set in my ASM trusted certificate Autorities with the certificate : clientCA.crt

set in the profile ssl configuration :

wifi_host_test1 = client2.crt(self signed by my CA "clientCA-cert) <<<<<

Thank You

Not work :(

All certificates are signed by my CA.

client1.p12 signed by my CA (f5) and send costumer /install in desktop

clientCA.crt is my CA (F5)

client2.crt is my webserver cert

my TMOS version : 11.5.1 HF8

It sad to hear that. I have no idea what could be wrong here. I followed referenced SOL and my lab system started to work without any issue. Will dig in my notes and try to post troubleshooting steps that can be used - but on Monday, right now here in Europe weekend begins - time to trow away work stuff and do some partying :-)

Piotr

All certificates are signed by my CA.

how did you create client1 certificate (i.e. how did you sign client1 certificate)?

Hello nitass

I followed the step : Creating and signing a client certificate in the solution :SOL14499

Thank you

The problem is solved, I had a problem with the common name :)

My new error is :

Verify return code: 20 (unable to get local issuer certificate)

My web Server certificate is signed by verisign and my (authentication certificate ) is signed by my local CA

Verify return code: 20 (unable to get local issuer certificate)

is Verisign root ca certificate in client's ca certificate store?