Antoine_80417
Apr 13, 2011Nimbostratus
Multiple certificate authorities and authentication profiles
Hello,
This is my first post on this forum so first, let me introduce myself : I'm a network an security engineer, I work for a company that uses quite a lot of F5 appliances as GTMs, LCs or LTMs with ASM module.
We are currently facing quite an issue with some of the appliances that are used as reverse proxy. We are asked to allow our clients to connect to some application using their own certificate.
The first part that we managed to figure out is the creation of the CA bundle that is advertised when the client certificate is required.
The second part on which we are struggling is the authentication profiles : we'd like to check the client certificate validity before allowing access to the application. When using a single CA, it is quite simple as you just have to create an authentication profile (OCSP or CRL) and apply it to the virtual server.
With mutliple CA, I guess I could create one authentication profile per CA and apply it to the virtual server, but I fear that may introduce some latency as there can be quite a lot of CA.
I would appreciate it a lot if you have any information on how to deal with this better than with multiple authentication profiles or on the performance that we can expect when using multiple authentication profiles.
Regards,
Antoine