on 30-Jul-2018 06:00
Within this article, I will be using a personal and relative use case to my own customers. While many organizations may only have one or two Root CA's to identify, the US Department of Defense has numerous CA's sometimes making it difficult for new F5 admins to grasp the concept of a certificate bundle and where to use it. In this article I wanted to take just a few minutes to walk you through the creation of a CA bundle, importing it into the BIG-IP and where you would apply the bundle to perform functions such as smart card authentication. If you would like to attempt to use the cert bundle iApp created by F5, the iApp deployment guide can be found using the link below though deploying that iApp is outside the scope of this document. With all of that, let's begin.
Note: For Windows users PowerShell can be used to SCP files though if you prefer WinSCP it is certainly acceptable.
This task is most commonly used in SSL client profiles assigned to applications performing smart card or user certificate based authentication.
The Trusted Certificate Authorities setting is required only if the BIG-IP system performs Client Certificate Authentication. This setting is specifies the BIG-IP system's Trusted Certificate Authorities store (the CAs that the BIG-IP system trusts when the system verifies a client certificate that is presented during Client Certificate Authentication).
The Advertised Certificate Authorities setting is optional. You can use it to specify the CAs that the BIG-IP system advertises as trusted when soliciting a client certificate for client certificate authentication. If the Client Certificate setting is configured to Require or Request, you can configure the Advertised Certificate Authorities setting to send clients a list of CAs that the server is likely to trust.
At this point you have successfully created, imported and assigned your new certificate bundle. If you would like to view a complete guide on configuring smart card authentication, please view my articles on DevCentral. Until next time!
Nice write-up, Steve. Thanks!
Hi Steve, Why did you selected the Bundle under Client Authentication > Trusted Certificate Authorities when client authentication is not set to "required"
If client authentication is not required, will the Bundle add value when selected under Configuration > Chain option ?
Good question. In a scenario where you configure request versus require, you are potentially allowing a secondary authentication method if the client does not present a client certificate. In the event a client certificate is presented even if it is set to request, the SSL Client profile will validate the certificate was issued by a CA in that bundle. If it was not, it will either deny access or you can configure the VPE to allow another authentication method. If I get around to it, I will provide a VPE screenshot that has this scenario.
If this is an Access Policy that is ONLY configured for non-certificate-based authentication (AD, LDAP, Forms, etc.), this setting is not required.