For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Antoine_80417's avatar
Antoine_80417
Icon for Nimbostratus rankNimbostratus
Apr 13, 2011

Multiple certificate authorities and authentication profiles

Hello,     This is my first post on this forum so first, let me introduce myself : I'm a network an security engineer, I work for a company that uses quite a lot of F5 appliances as GTMs, LCs or...
config
design
Michael_Yates's avatar
Michael_Yates
Icon for Nimbostratus rankNimbostratus
Apr 15, 2011
I believe that the CRL in the Client Authentication portion of the SSL Profile (Client) is a list of revoked Client Certificates. It should not contain CA's.

 

 

If you want to filter SSL Traffic for the client and only accept SSL Certificates issued by certain CA's then you are probably going to have to write an iRule to do that.

 

 

In the CLIENTSSL_CLIENTCERT Event you can use the X509 Command:

 

 

Overall Command:

 

http://devcentral.f5.com/wiki/default.aspx/iRules.X509

 

 

Retrieve Issuer:

 

http://devcentral.f5.com/wiki/default.aspx/iRules/X509__issuer.html

 

 

Hope this helps.
Related Content