Forum Discussion
NimbostratusTwo-way SSL authentication with self-signed client certificate
Hi, we're trying to implement a two-way SSL authentication against one of our virtual servers.
We have a certificate for our virtual server, which is signed by a CA and is working just as expected.
However, we don't want to let anyone connect to this virtual server unless we are presented with a client side SSL certificate.
The challenge we're facing is that, this client side certificate is self-signed. So, when the client connects, the F5 cannot validate the certificate and our connection cannot be established.
Just to get some things out of the way:
- We only have the certificate and we cannot get the key for the client side certificate.
- We cannot upload or CA certificate or key to the other side where the connections are coming from.
I would like to know:
- Is there any way to tell the F5 to trust this certificate? If so, how?
- I read, somewhere, that we can just set the mode to request and then add an iRule to validate the certificate. Is that possible?
I would appreciate any help on this matter.
Thanks
8 Replies
Cory_50405Noctilucent
Is the certificate needed on the backend server for authentication? If so, then you could enable proxy SSL within the client and server SSL profiles assigned to your virtual server. This will enable the client certificate to be passed along to the web server. Since you mention this is two-way SSL, I suspect the server is still doing the authentication piece.
http://support.f5.com/kb/en-us/solutions/public/13000/300/sol13385.html
Sebas_82058No, the backend doesn't even need to know about this. We just need the load balancer to validate connections are coming only from the sources we trust.
It's similar to this, however, the CA piece is the one I am having problems with:
https://devcentral.f5.com/questions/2-way-ssl-implementation-25325
- Sebas_82058
I finally implemented this via an iRule that will do the work. Not the most beautiful solution, but it serves the purpose given the limitations on the client side.
Muqeem_BaigDear Sebas can u please share the Irule...
Neeraj_Jags_152Cirrus
I need help
- Neeraj_Jags_152
I configured as per two way auth in F5 LB LTM ver 11.x as per below: - Client side SSL configured Server side SSL configured with key & cert and same key and cert are exist on pool member server.
Only server side SSL auth is working but Client auth is not working:- take this way. Client shared a open.ssl self signed certificate let say client_cert.cer I have imported client_cert.cer in F5. then When I configuring the SSL Client Profile, I selected the client_cert.cer in drop down box of Trusted Certificate Authorities :-- .. is this configuration TRUE, or will I need the different CA certificate from client
- nitass
Employee
>I read, somewhere, that we can just set the mode to request and then add an iRule to validate the certificate. Is that possible? yes, i think so. for trusted certificate authorities setting, you can leave it none. Client Certificate CN Checking (The second example) https://clouddocs.f5.com/api/irules/ClientCertificateCNChecking.html >When I configuring the SSL Client Profile, I selected the client_cert.cer in drop down box of Trusted Certificate Authorities :-- .. is this configuration TRUE i think it could work too but i think the codeshare is more flexible. hope this helps.
- Neeraj_Jags_152
Hi Nitass, Thanks for the same.
Let me explain you again. generally certificate is signed by CA like Verisign, etc. in that case do we require CA (Verisign ) certificate to install in F5-LB or we only require certificate which is signed by Verisign. because Client-SSL-Profiles required a field like "Trusted Certificate Authorities" which means it should be Verisign certificate ?
