Forum Discussion
LIH_admin_22571
Nimbostratus
NimbostratusNeed value for session.ssl.cert.valid
Hello all,
Anyone capable of giving me the meaning of session.ssl.cert.valid with value 20 ?
I found some informations about this field, but not the possible values, that would help a lot ...
Kevin_Stewart
Employee
EmployeeIf I may clarify further, the trusted and advertised CA lists are different.
-
Trusted Certificate Authorities is a CA certificate or CA bundle that allows the F5 to validate the client certificate. PKI (public key infrastructure) defines "chains", where a self-signed "anchor" CA (root) issues a subordinate CA, which in turn may issue a "sub-subordinate" CA, which in turn may issue end entity certificates. In reality, the chain can be shorter
CA root -> end entityBut is rarely so, and minimally contains at least one subordinate,
CA root -> Subordinate CA -> end entitybut can absolutely be much more deeply nested. I've personally seen PKI chains over 11 long. The Certificate Chain Traversal Depth setting controls how deeply the F5 follows a longer chain. The chains are held together cryptographically by digital signatures - a hash value encrypted by the issuer's private key - so that validating a PKI chain means walking the chain and verifying the signature (with each issuer's public key) along the path. In the above example, CA root signs the Subordinate CA, and the Subordinate CA signs the end entity. To verify this chain, you first need access to all of the certificates, and that's where the Trusted Certificate Authorities bundle comes in. It needs to store all of the CAs and subordinate CAs that the F5 will need to complete the PKI chain from the client's certificate to the self-signed anchor. And if it doesn't have that list, you may get the error you're seeing. It is possible that the client can send some of the subordinate CAs in the TLS handshake (but never the root), but it's also possible that the client will not, so the F5 should have these CA certs anyway. In summary then, if your client certificates are issued by a subordinate CA, the Trusted Certificate Authorities bundle should include the Subordinate CA and the root CA, and any other CA certificates in the PKI chain.
.
- Advertised Certificate Authorities is simply a bundle that "hints" to the client which issuers are acceptable when sending a client certificate. It plays no part in the actual validation of the client certificate. Simply put, if you possess client certificates from multiple issuers, this bundle tells the client which certificate(s) it can use. Browsers will do this automatically - listing only the certificates that match the advertised issuers. Technically, in the TLS handshake, when the server sends its Certificate Request message to the client, it also sends a list of acceptable CAs, which in this case comes from the Advertised Certificate Authorities bundle.