Forum Discussion

pjcampbell_7243's avatar
Oct 27, 2010

SSL client authentication?

Is it possible to require a client SSL certificate ? What I have in mind is basically a level of control to access the website. If the cert is not in some list of certs then do not allow access. I see something under "server SSL profile" about



Server authentication -> server certificate (require/ignore). Am I in the right place?






10 Replies

  • Hi PJ,



    You can configure a clientssl profile to request or require a client cert. A server ssl profile's client cert configuration is used to authenticate all serverside connections to the pool. This is independent of the clientside connection.



    If the client cert validation from the clientssl profile fails the client connection will be reset. You can use an iRule to expand the error handling and send an HTTP response when the client cert validation fails. You can do more through a GUI using the APM module.



    Let me know if you have any questions on any of these points.



    Thanks, Aaron
  • Hi,



    I am also in need of SSL client authentication. I have read SOL10167 and still have a few questions before I attempt to implement this. My goal is to "require" client authentication and have the BIG-IP drop the request if the certificate that the client sends does not match that of one that I specify on the BIG-IP. After reading this article, it appears that you can only restrict per CA, not per certificate? I need to specify this "trusted CA" in the "Trusted Certificate Authorities" option box under the SSL profile. Once I select a CA bundle in this option box, and then enable "Require" under Client Authentication, if the client sends a request from a CA not included in "Trusted Certificate Authorities," the BIG-IP will reject the request? There is no way to enforce client authentication purely on a specific SSL certificate (rather than a SSL certificate coming from a particular CA)?






    • piaf_176255's avatar
      Icon for Nimbostratus rankNimbostratus
      Old post but I give my understanding. IMHO it's not a client authentication but a validation certificate processus. To authenticate or verify the identity of the client we need to challenge it.
  • josh,



    have u seen this one? is it what u r looking for?

  • That may do it. I'm going to try just verifying the CA first, without using any iRules, and just using the "SSL Client Authentication" feature. Thanks!
  • Josh,



    I am trying to accomplish the same thing have you had any luck with just the client authentication "require" with just CA? Please share. Thx!


  • Hello guys, I followed the steps from the SOL10167 and the results are that the web page is asking me about the certificate client(that`s ok), so then when I choose the client certificate to be use the connection is terminated with a message that said something like this "the web page that you are trying to connect is no working". My doubt is what about the relation between the CA that emitted my server certificate and the CA that emitted the client certificated, in my case both are different.



    The server certificate is emitted by Verising and the client certificate is selfsign. In fact, I loaded the CA certificate from my client to be a trusted CA.



    I tested to open the web page without a client certificate require and works fine.



    Any recommendations?....
  • If you are trying to utilize the default configuration options of Client Authentication within the SSL Profile, it will limit you to a list of approved Certificate Authorities (Specifies that the CAs that the system advertises to clients is being trusted by the profile.)

    If you are looking to do something more advanced you can use an iRule in conjunction with the Client Authentication.

    For example: I configured a Virtual Server to Require Client Authentication in the SSL Profile and that works in conjunction with this iRule that checks the Hex value of the SSL Certificate serial number in a list of "Valid / Authorized" Certificates. If the SSL Certificate is in the list then you are passed through, if are rejected.

    if { [SSL::cert count] == 0 } {
    log local0. "No Certificate Provided"
    else {
    log local0. "Certificate 1:  [X509::serial_number [SSL::cert 0]]"
    log local0. "Client Certificate Recieved - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
    if { [class match [X509::serial_number [SSL::cert 0]] equals ValidCertificates] } {
    log local0. "Client Accepted - IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"
    else {
    log local0. "Client Rejected -IP:[IP::client_addr] Serial:[X509::serial_number [SSL::cert 0]]"

    I am sure that there are other examples in the iRules forum. I would suggest searching on the "CLIENTSSL_CLIENTCERT" Event.
  • Hi Michael, I´m retaking the client-cert testing, I have some doubts about your rule example.



    In the line " if { [class match [X509::serial_number [SSL::cert 0]] equals ValidCertificates] }"



    where is the "ValidCertificates" allocated??.



  • ValidCertificates is the name of a string data group that lists the valid cert serial numbers.