Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Configuring Smart Card Authentication to BIG-IP Management Interface

Developed on BIG-IP Version 13.1 It's been quite a while since my last article, so I wanted to come up with something that I know would benefit all current, future and past customers. Over the pas...
Published May 16, 2018
Version 1.0
13.1.0
application delivery
authentication
big-ip
security
smart card
TMOS
Steve_Lyons's avatar
Ret. Employee
My name is Steve Lyons and I reside in Tampa, FL with my 3 children, wife and Frenchie. We live the typical Florida life of swimming, fishing, boating, and BBQ. I started my F5 journey as a customer in 2009 where I was first introduced to it as a "load balancer." I have since deployed and maintained all modules realizing the BIG-IP is so much more. I joined F5 in 2015 where I have made it a personal mission to educate as many people as I can so they too can take advantage of the tremendous potential of the BIG-IP.
View Profile
Aquri's avatar
Aquri
Icon for Nimbostratus rankNimbostratus
Oct 29, 2019

I'm receiving certificate invalid errors -- does anyone what I might be doing wrong?

I'm able to get to the login page and requests for my certificate, after entering the pin I receive username/password error.

 

I have verified ssl-cname-otheroid is correct as per the configuration. Please see the logs and configs below.

 

Oct 28 21:25:37 ip-hostname err httpd[17103]: [error] [client x.x.x.x] Invalid client certificate provided by /C=**/O=**************/OU=***/OU=***/OU=*************/CN=************************ (Hint: examine 'tmsh list auth cert-ldap' and confirm proper configuration of ssl-cname-field and/or ssl-cname-otheroid properties.)

Oct 28 21:26:48 ip-hostname err httpd[16849]: [error] [client 127.1.1.3] Re-negotiation handshake failed: Not accepted by client!?

 

(tmos)# list sys httpd

sys httpd {

  auth-pam-dashboard-timeout on

  auth-pam-idle-timeout 600

  ssl-ca-cert-file /Common/Trusted_Bundle

  ssl-ocsp-default-responder http://********

  ssl-ocsp-enable on

  ssl-ocsp-override-responder on

  ssl-verify-client require

}

 

(tmos)# list auth cert-ldap

auth cert-ldap system-auth {

  bind-dn "CN=********,OU=*******,OU=********,DC=***,DC=******"

  bind-pw **********************8

  check-roles-group enabled

  debug enabled

  login-attribute userPrincipalName

  login-filter [a-zA-Z0-9]\\\\w*(\\\?=@)

  port ldaps

  search-base-dn DC=****,DC=****

  servers { ******** }

  ssl-ca-cert-file Trusted_Bundle.crt

  ssl-client-cert *******************

  ssl-client-key *******************

  ssl-cname-field san-other

  ssl-cname-otheroid 1.3.6.1.4.1.311.20.2.3

  sso on

}