Forum Discussion
DifanZ
Cirrus
CirrusLTM two-way SSL authentication with a specific client cert, not CA cert
Hi experts,
I am trying to set up the SSL two-way authentication following this link https://support.f5.com/csp/article/K12140946#test. It is successful when I choose a CA certificate in the "Trusted Certificate Authorities" field in the Client SSL profile. However, this would authenticate anyone with the client cert signed by the CA (e.g., DigiCert), correct? How do I make it only accepts a specific client cert (e.g. xyz.example.com but not abc.example.com)? I have tried to specify the client cert in the field and the GUI accepts the setting but doesn't work.
Thanks!
- xuwen
Cumulonimbus
when CLIENTSSL_HANDSHAKE { if { [SSL::cert count] > 0 } { if { [X509::subject [SSL::cert 0]] contains "CN=xyz.example.com" } { return } else { log local0. "invalid client cert post, subject is: [X509::subject [SSL::cert 0]]" drop } } }
DifanZThank you Xuwen! So it is not possible to do it in the GUI, and an irule would be required for this, correct?
- xuwen
sure, you can don't need irules, only use GUI,First, you need to let Client SSL profile the option "Client Certificate" value set to "Require", then you can use a self-signed CA certificate(
), instead of using a public CA certificate, use the self-signed CA certificate to sign the client certificate to test the verification, and use curl --key xxx --cert xxx on the client side to test two-way ssl
