Forum Discussion
DifanZ
May 27, 2022Cirrus
LTM two-way SSL authentication with a specific client cert, not CA cert
Hi experts, I am trying to set up the SSL two-way authentication following this link https://support.f5.com/csp/article/K12140946#test. It is successful when I choose a CA certificate in the "Truste...
xuwen
May 28, 2022Cumulonimbus
when CLIENTSSL_HANDSHAKE {
if { [SSL::cert count] > 0 } {
if { [X509::subject [SSL::cert 0]] contains "CN=xyz.example.com" } {
return
} else {
log local0. "invalid client cert post, subject is: [X509::subject [SSL::cert 0]]"
drop
}
}
}
- DifanZMay 28, 2022Cirrus
Thank you Xuwen! So it is not possible to do it in the GUI, and an irule would be required for this, correct?
- xuwenMay 29, 2022Cumulonimbus
sure, you can don't need irules, only use GUI,First, you need to let Client SSL profile the option "Client Certificate" value set to "Require", then you can use a self-signed CA certificate(
), instead of using a public CA certificate, use the self-signed CA certificate to sign the client certificate to test the verification, and use curl --key xxx --cert xxx on the client side to test two-way ssl
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects