F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

IvanKusturic's avatar
IvanKusturic
Icon for Nimbostratus rankNimbostratus
Oct 15, 2020

iRules for SSL certificates

Hi everybody,   We have a client who is hosting three FQDN's on same web server. In order to deliver correct SSL certificates based on the server name, we have configured SNI, with three different ...
ASM Advanced WAF
Default
iRules
security
IvanKusturic's avatar
IvanKusturic
Icon for Nimbostratus rankNimbostratus
Nov 03, 2020

We first tried to configure two-way using only Client Authentication require setting and root CA under Trusted Certificate Authorities field but it didn't work. That's why we tried with C3D.

 

The customer is using self signed certificate as Root CA for issuing client certificates. Could that cause the problem with first approach?

Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Nov 03, 2020

Without using C3D, you can get client certificate authentication from the client to the client-ssl profile, and use a shared static client authentication certificate on the server-side to the pool member.

What you cannot do is pass an individual client authentication certificate from the client-side to the server-side.

 

When establishing a TLS connection with a client-auth certificate, the client-auth certificate has to sign the handshake. But while the BigIP has the client auth certificate presented to it, it does not have the client auth certificate private key to sign the server-side handshake. C3D provides a way to generate a new certificate on the BigIP that matches the client auth certificate details so the server-side SSL profile can connect, present a client auth certificate that provides the right details, and can sign the handshake.