Creating, Importing and Assigning a CA Certificate Bundle

Steve_Lyons · ‎30-Jul-2018

Within this article, I will be using a personal and relative use case to my own customers. While many organizations may only have one or two Root CA's to identify, the US Department of Defense has numerous CA's sometimes making it difficult for new F5 admins to grasp the concept of a certificate bundle and where to use it. In this article I wanted to take just a few minutes to walk you through the creation of a CA bundle, importing it into the BIG-IP and where you would apply the bundle to perform functions such as smart card authentication. If you would like to attempt to use the cert bundle iApp created by F5, the iApp deployment guide can be found using the link below though deploying that iApp is outside the scope of this document. With all of that, let's begin.

https://f5.com/solutions/deployment-guides/ca-bundle-iapp-big-ip-v115-v12

Obtaining all CA's to Include in the Bundle

For DoD customers, navigate to https://iase.disa.mil/pki-pke/Pages/index.aspx
Select For Administrators, Integrators and Developers
Select Tools and continue to browse until you locate PKI CA Certificate Bundles: PKCS#7
Select and download the certificate bundle that is appropriate for your organization though as an example I have selected For DoD PKI Only.

Locate the Zip file in the directory you downloaded it to, right click and select extract.

Copy Required Files to the BIG-IP

After you have extracted all of the files within the .zip file, using your preferred SCP application, copy the file name with the extension of .pem.p7b as shown in this example Certificates_PKCS7_v5.3_DoD.pem.p7b.

Note: For Windows users PowerShell can be used to SCP files though if you prefer WinSCP it is certainly acceptable.

Run the command scp -p @:

Convert the PKCS Certificate to PEM format

SSH to the BIG-IP
Navigate to the directory you placed the .p7b file during the SCP process above.
Run the command openssl pkcs7 -in .p7b -text -out .pem -print_certs to convert the file from the p7b file format to pem.

Once you have converted the file from p7b to pem format run the command tmsh install sys crypto cert from-local-file to import the file into the BIG-IP certificate store.
To save the config, run the command save sys config

Validate Cert Bundle was Imported

Log into the BIG-IP TMUI >> System >> Certificate Management >> Traffic Certificate Management >> SSL Certificate List
Locate the certificate name that you used in the previous step to import the pem file into the certificate store.

To view the certificates included in that bundle, click the certificate bundle and within the certificate tab you can view all certificates.

Assign the CA Bundle to a SSL Client Profile

This task is most commonly used in SSL client profiles assigned to applications performing smart card or user certificate based authentication.

Navigate to Local Traffic >> Profiles >> SSL >> Client

Select the profile that will be used for client authentication
Scroll until you reach Client Authentication
From the drop down menu for Trusted Certificate Authorities, select the bundle created in the previous steps.
From the drop down menu for Advertised Certificate Authorities, select the bundle created in the previous steps.

Click Update

The Trusted Certificate Authorities setting is required only if the BIG-IP system performs Client Certificate Authentication. This setting is specifies the BIG-IP system's Trusted Certificate Authorities store (the CAs that the BIG-IP system trusts when the system verifies a client certificate that is presented during Client Certificate Authentication).

The Advertised Certificate Authorities setting is optional. You can use it to specify the CAs that the BIG-IP system advertises as trusted when soliciting a client certificate for client certificate authentication. If the Client Certificate setting is configured to Require or Request, you can configure the Advertised Certificate Authorities setting to send clients a list of CAs that the server is likely to trust.

At this point you have successfully created, imported and assigned your new certificate bundle. If you would like to view a complete guide on configuring smart card authentication, please view my articles on DevCentral. Until next time!

RandyMoran_1359 · ‎01-Nov-2018

Nice write-up, Steve. Thanks!

computerli · ‎07-Jan-2019

Hi Steve, Why did you selected the Bundle under Client Authentication > Trusted Certificate Authorities when client authentication is not set to "required"

If client authentication is not required, will the Bundle add value when selected under Configuration > Chain option ?

Steve_Lyons · ‎07-Jan-2019

Good question. In a scenario where you configure request versus require, you are potentially allowing a secondary authentication method if the client does not present a client certificate. In the event a client certificate is presented even if it is set to request, the SSL Client profile will validate the certificate was issued by a CA in that bundle. If it was not, it will either deny access or you can configure the VPE to allow another authentication method. If I get around to it, I will provide a VPE screenshot that has this scenario.

If this is an Access Policy that is ONLY configured for non-certificate-based authentication (AD, LDAP, Forms, etc.), this setting is not required.