Forum Discussion
NimbostratusSSL Client certificaet forward with BigIp
Hello,
I need support with a problem that I'm facing right now... I have a WebApi hosted on IIS server that can be accessed only with a client certificate. The validation is made in the WebApi. This WebApi can be called only throw an F5 BigIp that will redirect the user to the IIS Server. The problem is that the certificate is lost after the redirect from the BigIP, and I can't have access there to validate the certificate.
So the question is: How can I configure BigIp to forward the client certificate to IIS Server when redirecting to it?
Thank You!
youssef1Cumulonimbus
Hi,
you have to use proxy ssl:
sol13385: Overview of the Proxy SSL feature http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html
You have an example here:
https://devcentral.f5.com/questions/passing-client-ssl-certificate-to-server-f5-ltm-115
let me know if you need more details.
regards,
- Kevin_Stewart
Employee
As Youssef states, ProxySSL can only be used if you can force the client and server to use a non-perfect forward secret (RSA) TLS handshake key exchange. This becomes harder to do as modern browsers remove RSA as an option, or when TLSv1.3 removes it completely.
The better option would be Client Certificate Constrained Delegation (C3D). This is a feature added in 13.1 that allows you to "forge" a client certificate to a local server. Using a local certificate authority certificate and private key that the server trusts, C3D consumes the client certificate, validates and checks revocation (OCSP, CRL), and then creates a new locally-issued client cert on the fly with all of the attributes of the original client cert, and presents that to the server. In this way you can continue to perform mutual auth on the server, and still explicitly decrypt and re-encrypt on the F5.
