Client cert authentication is not working - "application verification failure"

Question

So my organization has it's own RootCA and subordinate authority.  I tried adding a certificate bundle by taking the base-64 encoding from the RootCA and the subordinate authority and pasting them both as a bundle.  I assigned the bundle to a Client SSL profile for both the Trusted Certificate Authorities and the Advertised Certificate Authorities.  
&nbsp;
The workstation I'm testing with has an Active Directory assigned "Client Authentication" certificate that is basically the computer name (fully qualified) and is issued by the subordinate authority.  When I try browsing the website in Chrome, it reports:&nbsp;
eddiapp.domain.com didn’t accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT&nbsp;
LTM (12.1.2) reports Connection error: ssl_shim_vfycerterr:4530: application verification failure (46) &nbsp;
I'm assuming the client is not presenting the cert.  I added an iRule to check and it appears to be the case.&nbsp;
I created a CA pem file via SSH with both CA's in it and also copied the client cert over as well and ran this:&nbsp;
openssl verify -CAfile ca.pem ITD-35147.pem
ITD-35147.pem: OK&nbsp;
I'm not sure what I'm missing.  Can anybody shed some light?&nbsp;
Thanks, Chris&nbsp;

jaikumar_f5 · Answer

Can you share your clientssl profile settings, for client certificate authentication to work, the peer-cert-mode property has to be changed to Require. The default property is ignore.&nbsp;

stupid48 · Answer

I resolved this. The client authentication certificate on the machine was not being passed. Looking at certificates in Chrome, the cert that was being pushed to the client via Active Directory was showing up in the "Other People" tab which apparently means that the browser thinks it's not installed correctly or it's invalid. We did a manual request and that one is appearing in the "Personal" tab and that one works now. I need to investigate the behavior but at least it's working.

Forum Discussion

Client cert authentication is not working - "application verification failure"

2 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

How I did it - "Application authentication with Verizon ID and F5 Access Policy Manager"

F5 Partner Solution Showcase - "ImmuniWeb - Application Security Testing and Remediation"

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

BIGIP OAUTH : Transmit "Application id" to backend server after a successful atuthentication

Doing mTLS Authentication per URL