SSL Profiles Part 8: Client Authentication

This is the eighth article in a series of Tech Tips that highlight SSL Profiles on the BIG-IP LTM.  SSL Overview and Handshake SSL Certificates Certificate Chain Implementation Cipher Suite...
Updated Mar 25, 2023
Version 3.0
LTM
security
series-the-ssl-profile
ssl
tech tip
aries22's avatar
aries22
Icon for Altocumulus rankAltocumulus
Jan 18, 2019

Hi! I'm reading on this topic and checking on the procedure in implementing it. However, there are some items that are still not yet clear to me (more on the client side), hence would like your help so that I can understand properly. Please feel free to correct me if my statements are wrong:

 

  1. So the client needs its own certificate signed by a CA. The CA certificate (root CA?) will be imported in Big-IP and associated in the Trusted Certificate Authority under Client Authentication field of the client SSL profile.
  2. When generating the client certificate, I am assuming it is much like generating a server certificate- wherein a CSR & private key will be created, and client certificate will be issued using the CSR.
  3. Both the client certificate and client private key shall be imported on the client device.
  4. In the case where let's say 100 client devices are expected to connect to the VS for client authentication, should each client be generated with their own unique certificate?

Thank you and so sorry again if my understanding of this topic is not correct.