Creating, Importing and Assigning a CA Certificate Bundle

Within this article, I will be using a personal and relative use case to my own customers. While many organizations may only have one or two Root CA's to identify, the US Department of Defense has nu...
Published Jul 30, 2018
Version 1.0
application delivery
dod pki
iApps
LTM
pkcs
security
Steve_Lyons's avatar
Ret. Employee
My name is Steve Lyons and I reside in Tampa, FL with my 3 children, wife and Frenchie. We live the typical Florida life of swimming, fishing, boating, and BBQ. I started my F5 journey as a customer in 2009 where I was first introduced to it as a "load balancer." I have since deployed and maintained all modules realizing the BIG-IP is so much more. I joined F5 in 2015 where I have made it a personal mission to educate as many people as I can so they too can take advantage of the tremendous potential of the BIG-IP.
View Profile
Steve_Lyons's avatar
Ret. Employee
My name is Steve Lyons and I reside in Tampa, FL with my 3 children, wife and Frenchie. We live the typical Florida life of swimming, fishing, boating, and BBQ. I started my F5 journey as a customer in 2009 where I was first introduced to it as a "load balancer." I have since deployed and maintained all modules realizing the BIG-IP is so much more. I joined F5 in 2015 where I have made it a personal mission to educate as many people as I can so they too can take advantage of the tremendous potential of the BIG-IP.
View Profile
Steve_Lyons's avatar
Steve_Lyons
Ret. Employee
Jan 07, 2019

Good question. In a scenario where you configure request versus require, you are potentially allowing a secondary authentication method if the client does not present a client certificate. In the event a client certificate is presented even if it is set to request, the SSL Client profile will validate the certificate was issued by a CA in that bundle. If it was not, it will either deny access or you can configure the VPE to allow another authentication method. If I get around to it, I will provide a VPE screenshot that has this scenario.

 

If this is an Access Policy that is ONLY configured for non-certificate-based authentication (AD, LDAP, Forms, etc.), this setting is not required.