For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

justin_westove1's avatar
justin_westove1
Icon for Nimbostratus rankNimbostratus
Mar 22, 2016

Setup Client Side SSL Mutual Auth

I need to setup client-side mutual authentication using certificates. I have a few questions regarding this.   We already have an SSL client profile loaded on the F5 VS. This cert is a standard ...
application delivery
BIG-IP
LTM
security
Josiah_39459's avatar
Josiah_39459
Historic F5 Account
Mar 22, 2016

You just need to add the CA bundle for the signer of your client certs. It's in a different section and completely independent of the server/vip cert.

 

If you want to force the clients to send their client certs, then yes, you need Require.

 

justin_westove1's avatar
justin_westove1
Icon for Nimbostratus rankNimbostratus
Mar 23, 2016
I assume then that it's fine for the signer to be a public CA such as Verisign or Thawte? I just setup a local CA on the F5 for testing using the openssl commands and signed a cert using the CA. I then imported the CA cert and key into the F5 and created a new SSL profile and set the client authentication to require. I then created a new F5 VS and applied my public cert from Thawte on the VS under client SSL profile AND.... I applied the new F5 Local CA bundle (has client authentication enabled). When I attempted to save the configuration the F5 spit out the following error. ---------------> "Selected client SSL profiles do not match security policies for Virtual Server..." -------------- So the F5 can't have two certs on the same VS, one public with no client authentication and another being the CA bundle that I would use to authenticate my clients with client authentication enabled. Any thoughts on a way around this?