Forum Discussion

pjcampbell_7243's avatar
pjcampbell_7243
Icon for Cirrus rankCirrus
Oct 27, 2010

SSL client authentication?

Is it possible to require a client SSL certificate ? What I have in mind is basically a level of control to access the website. If the cert is not in some list of certs then do not allow access. I s...
config
design
Josh_41258's avatar
Josh_41258
Icon for Nimbostratus rankNimbostratus
Hi,

 

 

I am also in need of SSL client authentication. I have read SOL10167 and still have a few questions before I attempt to implement this. My goal is to "require" client authentication and have the BIG-IP drop the request if the certificate that the client sends does not match that of one that I specify on the BIG-IP. After reading this article, it appears that you can only restrict per CA, not per certificate? I need to specify this "trusted CA" in the "Trusted Certificate Authorities" option box under the SSL profile. Once I select a CA bundle in this option box, and then enable "Require" under Client Authentication, if the client sends a request from a CA not included in "Trusted Certificate Authorities," the BIG-IP will reject the request? There is no way to enforce client authentication purely on a specific SSL certificate (rather than a SSL certificate coming from a particular CA)?

 

 

Thanks!

 

 

Josh
piaf_176255's avatar
piaf_176255
Icon for Nimbostratus rankNimbostratus
Nov 05, 2014
Old post but I give my understanding. IMHO it's not a client authentication but a validation certificate processus. To authenticate or verify the identity of the client we need to challenge it.