Forum Discussion
tub91
Cirrus
CirrusClient Certificate authentication clarifications
Hi,
I need some clarification regarding client authentication via certificate.
We have to make access, on our website, only one of our clients to a specific URI via certificate, while all the other customers will continue to access all the other URIs without any certificate.
The first starting point is in the SSL client profile where we should set the Client Authentication in "REQUEST" in order to terminate the handshake even if the certificate is not correct or no certificate is sent by the client.
Our goal is that F5, when sending the Certificate Request packet, asks the client for a specific certificate and not the possibility to send any certificate.
To do this we have to configure, in the SSL profile client, the Advertised Certificate Authority with the CA that generated the certificate we are expecting? It's correct?
With this setting, the Distinguished Names relating to the certificate is then populated in the Certificate Request package and will the browser only propose the sending of this specific certificate and not other certificates?
Reading this article we seem to have understood this scenario but I would like to ask you for confirmation too: https://community.f5.com/t5/technical-articles/client-ssl-authentication-on-big-ip-as-in-depth-as-it-can-go/ta-p/281020
Subsequently, through an iRule we will discriminate access to the single URI that requires the certificate.
Do you see any issues in this implementation? It has not yet been tested in our environment.
I hope our doubt is clear, in case it is not clear I will try to explain myself better
Thanks
Regards
Manuel_Altocumulus
Hi,
I have done something similar to what you describe. I posted a question which shows sme of my configuration to achive that, you can see it here: Solved: C3D first request problem - DevCentral (f5.com)