Forum Discussion
NimbostratusMTLS - How to authenticate a specific certificate
We have a VIP configured on F5 with MTLS. I have used publicly trusted certificates as server and client certificate while configuring MTLS.
The behavior, I was expecting is calling application would be authenticated only when exact same client certificate is used which is used from setting up MTLS.
Actual Behavior, calling application is able to authenticate with any client certificate, provided it is signed by the same root CA as the client certificate that is used for setting up MTLS.
I just wanted to understand if there is a way to get the expected behavior without writing a irule or a policy
1 Reply
- Injeyan_Kostas
Cumulonimbus
This is expected behaviour. You are selecting Trusted CA not cert and especially if you have uploaded the cert including the full certificate path. If so try first uploading only the cert without including the intermediate and root and use it.
If still not work you could either use a self signed certificate or as you thought use an iRule to extract and match specific value after the mTLS.
eg something like this
when HTTP_REQUEST { set cert [SSL::cert 0] set subject [X509::subject $cert] if { $subject contains "CN=XXXXXXXXXXXXX" } { log local0. "Client certificate CN matched: $subject" } else { log local0. "Client certificate CN mismatch: $subject" reject } }Or be even more granular
