Pass Client certificate

Question

I would like to be able to pass a client certificate to the server untouched by the F5. I have multiple clients all using the same cert.

hooleylist · Answer

Hi Steve, 
&nbsp;  
&nbsp; If you don't add a client or server SSL profile to the VS, LTM will not decrypt the traffic and the pool members will see the original client cert.  If you need to decrypt the clientside SSL, you cannot have LTM proxy the client's cert as it doesn't have the client's SSL private key.   
&nbsp;  
&nbsp; You could have LTM do one or more of the following: 
&nbsp;  
&nbsp; - check the client cert against a root CA cert you import and configure in the client SSL profile 
&nbsp; - validate the client cert against an OCSP server, CRL, etc using the Advanced Client Auth module 
&nbsp; - use its own client cert to establish a serverside SSL handshake with the pool members 
&nbsp;  
&nbsp; Aaron

steve_lattray_5 · Answer

Thank you this was very helpfull.

Forum Discussion

Pass Client certificate

Recent Discussions

BIG-IP SysLog appearing in ossec.log

MAC address of deleted VS IP address still responsive

Different common name ssl acces 403 forbiddent

TMSH Command to list ASM policies not attached to any virtual servers in all partitions

dynamic signature detection

Related Content

Passing Arguments to iCall Scripts

BIG-IQ Client Certificate (PKI) Authentication

ASM not passing client cookies to the node servers

Slack Mutual TLS Recipe: Adding X-Client-Certificate-SAN header from client certificate

Re: Management Certificate

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS