Forum Discussion

Josh_Abaire's avatar
Josh_Abaire
Icon for Nimbostratus rankNimbostratus
Jun 07, 2012

SSL Client Auth

I'm having trouble getting SSL Client Authentication to work, I've never done it before. The customer wants partners to obtain their own SSL certs from whatever authority they choose, then have the root and trust chain installed on the F5. A GoDaddy Root and Intermediate cert were provided to me. I wasn't sure how to make multiple certs trusted so I imported them separately with one named bundle and then combined them:

 

 

cat /config/ssl/ssl.crt/godaddy-root.crt >> /config/ssl/ssl.crt/godaddy-bundle.crt

 

 

Configured the client SSL profile to require client certs with the godaddy-bundle as trusted authority and advertised authority. As you may guess, it didn't work. This is new territory for me. Can someone explain how the client cert is to be trusted and what I did wrong?
  • Did I stump the entire community? Is what I'm trying to do even possible?
  • Sorry, didn't see this till your recent post. I did this same thing last year. Your cat statement doesn't combine the root and intermediary certs. It only takes the root cert and creates a bundle cert with only the root cert in it. You need to include both root and intermdiary certs to create the bundle, so it'd look like:

     

     

    cat /config/ssl/ssl.crt/intermediate.crt /config/ssl/ssl.crt/godaddy-root.crt > /config/ssl/ssl.crt/godaddy-bundle.crt

     

     

    Set trusted authority back to ca-bundle

     

    Set advertised authority back to 'none' (this only advertises your list of trusted auths to clients, not necessary and reduces security)

     

    Set "CHAIN" to your new bundle - this is where your bundle is referenced.

     

     

    Cheers!
  • Thanks for the reply!

     

     

    I actually had five different certs bundled. I was trying to simplify things. They are all bundled in the same way to the bundle.crt.

     

     

    I'm assuming where I went wrong is I should set the bundle in Chain. I had it set in "Trusted Certificate Authorities." Should I have the same bundle in both?
  • You could set it for both if only those authorities will be connecting to you. Otherwise, I'd set trusted cert auths to ca-bundle, the default. As long as the chain is set to your bundle, it should work for you. Let me know how it goes.
  • Everything is working now. Thanks.

     

     

    Does anyone happen to know if encryption can be handled at the F5, while passing client certificate information to the server for authorization? The customer has an application that utilizes complicated authentication and authorization at the server. SSL terminates at the server currently but they want some iRules that will dig into the http header, so need the encryption terminated at the F5. Is is possible to pass client cert or x509 info, or something like that to allow the client auth to happen at the server?
  • have you seen these codeshare?

     

     

    Insert Client Certificate In Serverside HTTP Headers

     

    https://devcentral.f5.com/wiki/iRules.InsertCertInServerHeaders.ashx

     

     

    Request Client Certificate And Pass To Application by alankila

     

    https://devcentral.f5.com/wiki/iRules.RequestClientCertificateAndPassToApplication.ashx

     

     

    additionally, there is proxy ssl feature in v11.

     

     

    sol13385: Overview of Proxy SSL feature

     

    http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html