Forum Discussion

Muhammad_Irfan1's avatar
Muhammad_Irfan1
Icon for Cirrus rankCirrus
Nov 29, 2014
Solved

Server and client certificate CN should match or not in client authentication

During client authentication set to require.

 

  1. F5 certificate CN and Client certificate CN should match?

     

  2. I uploaded CA bundle through GUI but that is not shown in

     

/config/filestore/files_d/Common_d/trust_certificate_d

 

instead it is shown in

 

/config/filestore/files_d/Common_d/certificate_d

 

how to import CA bundle in trust_certificate_d?

 

  • nitass_89166's avatar
    nitass_89166
    Nov 29, 2014

    F5 certificate CN and Client certificate CN should match?

     

    no, cn should not be the same because they authenticate different things (one authenticates server but the other one authenticates client).

     

    I uploaded CA bundle through GUI but that is not shown in /config/filestore/files_d/Common_d/certificate_d

     

    i understand it is correct. trust_certificate_d is for device trust.

     

45 Replies

  • Muhammad_Irfan1's avatar
    Muhammad_Irfan1
    Icon for Cirrus rankCirrus
    Nov 29, 2014
    Why no one replies on client authentication questions? Did any body every applied it before? I am stuck
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 29, 2014

    F5 certificate CN and Client certificate CN should match?

     

    no, cn should not be the same because they authenticate different things (one authenticates server but the other one authenticates client).

     

    I uploaded CA bundle through GUI but that is not shown in /config/filestore/files_d/Common_d/certificate_d

     

    i understand it is correct. trust_certificate_d is for device trust.

     

    • Muhammad_Irfan1's avatar
      Muhammad_Irfan1
      Icon for Cirrus rankCirrus
      Nov 29, 2014
      Nitass please stay with me. I am unable to work It out. My server authentication portion is working fine and green lock is shown when client access VS. But when I set it to require the hand shake fails 1. I have a ca bundle of the issuer. 2 intermediate and 1 root certificate in trusted certificate authorities in client authentication profile. 2. One which base F5 will authenticate client certificate? Only on the trusted certificate authority? or by some field in the certificate as users can have other certificates from the same certificate authority. 3. Do clients have to generate their own certificates and how on windows machine? I want to use one certificate for all clients.
    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      Nov 29, 2014
      >One which base F5 will authenticate client certificate? Only on the trusted certificate authority? yes >Do clients have to generate their own certificates and how on windows machine? I want to use one certificate for all clients. as long as client certificate is valid, it should be okay.
    • Muhammad_Irfan1's avatar
      Muhammad_Irfan1
      Icon for Cirrus rankCirrus
      Nov 29, 2014
      Ok I have certificate which is issued by mobilink uploaded it personal certificate tab in pfx format. Issuer of that certificate is already in F5 trusted bundle. How can I verify that browser is presenting that certificate when requested? That certificate is in the personal tab but if I set it to manual select the certificate I don't have that certificate in the drop down when selecting manual selecting the certificate
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Nov 29, 2014

    F5 certificate CN and Client certificate CN should match?

     

    no, cn should not be the same because they authenticate different things (one authenticates server but the other one authenticates client).

     

    I uploaded CA bundle through GUI but that is not shown in /config/filestore/files_d/Common_d/certificate_d

     

    i understand it is correct. trust_certificate_d is for device trust.

     

    • Muhammad_Irfan1's avatar
      Muhammad_Irfan1
      Icon for Cirrus rankCirrus
      Nov 29, 2014
      Nitass please stay with me. I am unable to work It out. My server authentication portion is working fine and green lock is shown when client access VS. But when I set it to require the hand shake fails 1. I have a ca bundle of the issuer. 2 intermediate and 1 root certificate in trusted certificate authorities in client authentication profile. 2. One which base F5 will authenticate client certificate? Only on the trusted certificate authority? or by some field in the certificate as users can have other certificates from the same certificate authority. 3. Do clients have to generate their own certificates and how on windows machine? I want to use one certificate for all clients.
    • nitass_89166's avatar
      nitass_89166
      Icon for Noctilucent rankNoctilucent
      Nov 29, 2014
      >One which base F5 will authenticate client certificate? Only on the trusted certificate authority? yes >Do clients have to generate their own certificates and how on windows machine? I want to use one certificate for all clients. as long as client certificate is valid, it should be okay.
    • Muhammad_Irfan1's avatar
      Muhammad_Irfan1
      Icon for Cirrus rankCirrus
      Nov 29, 2014
      Ok I have certificate which is issued by mobilink uploaded it personal certificate tab in pfx format. Issuer of that certificate is already in F5 trusted bundle. How can I verify that browser is presenting that certificate when requested? That certificate is in the personal tab but if I set it to manual select the certificate I don't have that certificate in the drop down when selecting manual selecting the certificate
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 29, 2014

    How can I verify that browser is presenting that certificate when requested?

     

    it should be seen in tcpdump.

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 30, 2014

    is this client certificate?

    4 6 0.0041 (0.0015) C>S Handshake 
    Certificate 
    ClientKeyExchange
    • Muhammad_Irfan1's avatar
      Muhammad_Irfan1
      Icon for Cirrus rankCirrus
      Nov 30, 2014
      Yes it has to be, but after that FIN msg what does it show? 1. If F5 have trust certificate authority certificates as bundle then will trust any certificate issued by that authority? Why its not working? I have a deadline of today. Please help. Any certificate issued by that authority should work in pfx format which includes cert and private key. If the pfx cert is in the personal tab then it should be automatically selected. right
    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      Nov 30, 2014
      is client certificate verification okay? e.g. client2.crt is client certificate chain.crt is intermediate and root certificates [root@centos1 ca2013] openssl verify -verbose -CAfile chain.crt certs/client2.crt certs/client2.crt: OK Verifying that a Certificate is issued by a CA https://kb.wisc.edu/middleware/page.php?id=4543
    • Muhammad_Irfan1's avatar
      Muhammad_Irfan1
      Icon for Cirrus rankCirrus
      Nov 30, 2014
      [root@www:Active:In Sync] config openssl verify -verbose -CAfile CHecking.crt certs/10.50.171.9.crt why this command is not accepted. Getting this error [root@www:Active:In Sync] config openssl verify -verbose -CAfile CHecking.crt certs/10.50.171.5.crt Error loading file CHecking.crt 22072:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('CHecking.crt','r') 22072:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129: 22072:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274: usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ... recognized usages: sslclient SSL client sslserver SSL server nssslserver Netscape SSL server smimesign S/MIME signing smimeencrypt S/MIME encryption crlsign CRL signing any Any Purpose ocsphelper OCSP helper
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Nov 30, 2014

    is this client certificate?

    4 6 0.0041 (0.0015) C>S Handshake 
    Certificate 
    ClientKeyExchange
    • Muhammad_Irfan1's avatar
      Muhammad_Irfan1
      Icon for Cirrus rankCirrus
      Nov 30, 2014
      Yes it has to be, but after that FIN msg what does it show? 1. If F5 have trust certificate authority certificates as bundle then will trust any certificate issued by that authority? Why its not working? I have a deadline of today. Please help. Any certificate issued by that authority should work in pfx format which includes cert and private key. If the pfx cert is in the personal tab then it should be automatically selected. right
    • nitass_89166's avatar
      nitass_89166
      Icon for Noctilucent rankNoctilucent
      Nov 30, 2014
      is client certificate verification okay? e.g. client2.crt is client certificate chain.crt is intermediate and root certificates [root@centos1 ca2013] openssl verify -verbose -CAfile chain.crt certs/client2.crt certs/client2.crt: OK Verifying that a Certificate is issued by a CA https://kb.wisc.edu/middleware/page.php?id=4543
    • Muhammad_Irfan1's avatar
      Muhammad_Irfan1
      Icon for Cirrus rankCirrus
      Nov 30, 2014
      [root@www:Active:In Sync] config openssl verify -verbose -CAfile CHecking.crt certs/10.50.171.9.crt why this command is not accepted. Getting this error [root@www:Active:In Sync] config openssl verify -verbose -CAfile CHecking.crt certs/10.50.171.5.crt Error loading file CHecking.crt 22072:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('CHecking.crt','r') 22072:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129: 22072:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274: usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ... recognized usages: sslclient SSL client sslserver SSL server nssslserver Netscape SSL server smimesign S/MIME signing smimeencrypt S/MIME encryption crlsign CRL signing any Any Purpose ocsphelper OCSP helper
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Nov 30, 2014

    i do not know what the full name of CHecking.crt in filestore is and what and where the client certificate file is. anyway, this is an example.

     openssl verify -verbose -CAfile /config/filestore/files_d/Common_d/certificate_d/\:Common\:chain.crt_39032_1 /var/tmp/client2.crt
    • Muhammad_Irfan1's avatar
      Muhammad_Irfan1
      Icon for Cirrus rankCirrus
      Nov 30, 2014
      I have uploaded CA bundle but when looking into that certificate_d folder they are converted into 3 certificates of CA which bundle contained. Now I am scratching my head. 1. server authentication is successfully done, 2. now client authentication is not working. 3. certificate authority of both F5 and client certificates is same. 4. Certificate authority have 2 intermediate and 1 root cert, put in browser and converted into bundle and put in F5 as well. 5. Any certificate issued by mobilink to client will work or for this application client certificate will have something unique which will identify that this certificate is for this app. 6. Have you performed client authentication before? I want all the clients have the same cert and f5 will not have that cert, f5 will only have ca bundle to validate client cert right? 7. If that same bundle is working in server authentication then same bundle should work in client authentication as issuer of both is same. 8. The testing I am doing is with cert which was for some other purpose but issued by mobilink so that will work for client authentication as well right as F5 only checks issuer?
    • Muhammad_Irfan1's avatar
      Muhammad_Irfan1
      Icon for Cirrus rankCirrus
      Nov 30, 2014
      Could this be the problem for testing which certificate I am using for client authentication it is written with it that Certificate intended purpose server authentication. could this be the problem that I can not use it for client authentication
    • nitass_89166's avatar
      nitass_89166
      Icon for Noctilucent rankNoctilucent
      Nov 30, 2014
      >I have uploaded CA bundle but when looking into that certificate_d folder they are converted into 3 certificates of CA which bundle contained. can you try to concat (cat) 2 intermediate and 1 root certificates to 1 file and set it in ssl profile? sol13302: Configuring the BIG-IP system to use an SSL chain certificate (11.x) https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13302.html
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 30, 2014

    i do not know what the full name of CHecking.crt in filestore is and what and where the client certificate file is. anyway, this is an example.

     openssl verify -verbose -CAfile /config/filestore/files_d/Common_d/certificate_d/\:Common\:chain.crt_39032_1 /var/tmp/client2.crt
    • Muhammad_Irfan1's avatar
      Muhammad_Irfan1
      Icon for Cirrus rankCirrus
      Nov 30, 2014
      I have uploaded CA bundle but when looking into that certificate_d folder they are converted into 3 certificates of CA which bundle contained. Now I am scratching my head. 1. server authentication is successfully done, 2. now client authentication is not working. 3. certificate authority of both F5 and client certificates is same. 4. Certificate authority have 2 intermediate and 1 root cert, put in browser and converted into bundle and put in F5 as well. 5. Any certificate issued by mobilink to client will work or for this application client certificate will have something unique which will identify that this certificate is for this app. 6. Have you performed client authentication before? I want all the clients have the same cert and f5 will not have that cert, f5 will only have ca bundle to validate client cert right? 7. If that same bundle is working in server authentication then same bundle should work in client authentication as issuer of both is same. 8. The testing I am doing is with cert which was for some other purpose but issued by mobilink so that will work for client authentication as well right as F5 only checks issuer?
    • Muhammad_Irfan1's avatar
      Muhammad_Irfan1
      Icon for Cirrus rankCirrus
      Nov 30, 2014
      Could this be the problem for testing which certificate I am using for client authentication it is written with it that Certificate intended purpose server authentication. could this be the problem that I can not use it for client authentication
    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      Nov 30, 2014
      >I have uploaded CA bundle but when looking into that certificate_d folder they are converted into 3 certificates of CA which bundle contained. can you try to concat (cat) 2 intermediate and 1 root certificates to 1 file and set it in ssl profile? sol13302: Configuring the BIG-IP system to use an SSL chain certificate (11.x) https://support.f5.com/kb/en-us/solutions/public/13000/300/sol13302.html
  • Muhammad_Irfan1's avatar
    Muhammad_Irfan1
    Icon for Cirrus rankCirrus
    Dec 01, 2014

    [root@www:Active:Changes Pending] certificate_d openssl verify -verbose -CAfile :Common:CHecking.crt_191817_1 :Common:Siebel-SSL-CA1.crt_191778_1 unable to load certificate 32254:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:648:Expecting: TRUSTED CERTIFICATE

     

    Getting this error now