For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

justin_westove1's avatar
justin_westove1
Icon for Nimbostratus rankNimbostratus
Mar 22, 2016

Setup Client Side SSL Mutual Auth

I need to setup client-side mutual authentication using certificates. I have a few questions regarding this.   We already have an SSL client profile loaded on the F5 VS. This cert is a standard ...
application delivery
BIG-IP
LTM
security
Josiah_39459's avatar
Josiah_39459
Historic F5 Account
Mar 22, 2016

You just need to add the CA bundle for the signer of your client certs. It's in a different section and completely independent of the server/vip cert.

 

If you want to force the clients to send their client certs, then yes, you need Require.

 

Josiah_39459's avatar
Josiah_39459
Historic F5 Account
Mar 22, 2016
I'm confused. Have you ever done client certification in any environment? I am mostly explaining how it works on F5, with the assumption you understand the general process. However, much of what you write is confusing to me. Let's try a more basic approach. ----------------------------------------------------------- Speaking generally, client certs are valid if they are signed by a signer you trust and they haven't expired. You want to trust clients with these certs usually because YOU (your domain controller) or someone you trust (parent/partner/sibling company) gave them these certs. Often not manually, but some automated process where they request a cert from some cert server under your administration and then install that cert on their "company" device. ----------------------------------------------------------- If you want to trust certs from multiple signers, no problem, just bundle all the signer's certs into your CA bundle. You should have these certs or get them easily, because they are the certs used by the cert server that issues the clients their certs.