For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Muhammad_Irfan1's avatar
Muhammad_Irfan1
Icon for Cirrus rankCirrus
Nov 29, 2014
Solved

Server and client certificate CN should match or not in client authentication

During client authentication set to require.   F5 certificate CN and Client certificate CN should match?   I uploaded CA bundle through GUI but that is not shown in   /config/file...
  • nitass_89166's avatar
    nitass_89166
    Nov 29, 2014

    F5 certificate CN and Client certificate CN should match?

     

    no, cn should not be the same because they authenticate different things (one authenticates server but the other one authenticates client).

     

    I uploaded CA bundle through GUI but that is not shown in /config/filestore/files_d/Common_d/certificate_d

     

    i understand it is correct. trust_certificate_d is for device trust.

     

nitass_89166's avatar
nitass_89166
Icon for Noctilucent rankNoctilucent
Nov 30, 2014

is this client certificate?

4 6 0.0041 (0.0015) C>S Handshake 
    Certificate 
    ClientKeyExchange
  • Muhammad_Irfan1's avatar
    Muhammad_Irfan1
    Icon for Cirrus rankCirrus
    Nov 30, 2014
    Yes it has to be, but after that FIN msg what does it show? 1. If F5 have trust certificate authority certificates as bundle then will trust any certificate issued by that authority? Why its not working? I have a deadline of today. Please help. Any certificate issued by that authority should work in pfx format which includes cert and private key. If the pfx cert is in the personal tab then it should be automatically selected. right
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Nov 30, 2014
    is client certificate verification okay? e.g. client2.crt is client certificate chain.crt is intermediate and root certificates [root@centos1 ca2013] openssl verify -verbose -CAfile chain.crt certs/client2.crt certs/client2.crt: OK Verifying that a Certificate is issued by a CA https://kb.wisc.edu/middleware/page.php?id=4543
  • Muhammad_Irfan1's avatar
    Muhammad_Irfan1
    Icon for Cirrus rankCirrus
    Nov 30, 2014
    [root@www:Active:In Sync] config openssl verify -verbose -CAfile CHecking.crt certs/10.50.171.9.crt why this command is not accepted. Getting this error [root@www:Active:In Sync] config openssl verify -verbose -CAfile CHecking.crt certs/10.50.171.5.crt Error loading file CHecking.crt 22072:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('CHecking.crt','r') 22072:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129: 22072:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274: usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-engine e] cert1 cert2 ... recognized usages: sslclient SSL client sslserver SSL server nssslserver Netscape SSL server smimesign S/MIME signing smimeencrypt S/MIME encryption crlsign CRL signing any Any Purpose ocsphelper OCSP helper
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Nov 30, 2014
    is the file path correct? 22072:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('CHecking.crt','r')
  • Muhammad_Irfan1's avatar
    Muhammad_Irfan1
    Icon for Cirrus rankCirrus
    Nov 30, 2014
    /config/filestore/files_d/Common_d/certificate_d this is where certs are. how to mention path in command. Sorry trouble nitass I am network guy and its my first deployement.
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Nov 30, 2014
    doesn't just using full path work?
  • Muhammad_Irfan1's avatar
    Muhammad_Irfan1
    Icon for Cirrus rankCirrus
    Nov 30, 2014
    Can you write the command with full path as above? because don't know how to write the path in command. Sorry for trouble nitass.