Forum Discussion
Subrun
Cirrostratus
CirrostratusQueries related to F5 Certificate Based Authentication.
Hello all and Rodrigo_Albuque I need some help as below. Refer to below I have some questions. I need to allow 2 client to access one web applicaiton hosted at my F5. And for those 2 client I wan...
Hey Subrun, thanks for your question. You need the CA certificate that signed the client certificate to be present in the Trusted Certificates Authority file, not the client certificate itself. Remember that this file will have a lot of CAs that are usually trusted by browsers. Also, the same CA certificate can optionally be added to Advertised Certificate Authorities so it can inform the client that it is looking for a certificate that was signed by "this" CA.
The client certificate should be in the client machine and should be sent to BIG-IP during the TLS handshake. The CN or Subject Alt Name for a client certificate it is up to you. You can set it to a hostname to identify the machine or something that uniquely identifies the application. The hostname is the more common use I've seen out there.
If you're not familiar with the process, I'll give you a brief overview. Normally, you will create a key and a CSR (Certificate Signing Request) using the tool of your choice (e.g. OpenSSL). Then, you present the CSR to an official CA (e.g. Verisign, etc) and they will sign it and "convert" it to a "CRT" file. Then, you append the CA that signed your request to the Trusted Certificate Authority file. Once the Client Certificate is sent by your Application, BIG-IP should be able to validate such certificate as long as you enable the settings described in my article.
Hope it helps.
Rodrigo