Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

double authentication with check CN serial number and certificate authority

Jean_Mamène
Cirrus
Cirrus

‎26-Jun-2023 07:05

Hello,

We have version 16 of BIG-IP LTM.
We have a virtual server on which several urls of the same domain are defined and which sends requests to the same pool of servers. On this virtual server and for a specific URL, we need double certificate authentication. Only a certificate should authorize the connection to the server pool. We want to check that the Common Name, Serial Number and Certificate Authority are correct to identify the certificate.

Example:
The virtual server "example.com" has the following URLs defined:
- url1.example.com
- url2.example.com
- url3.example.com
- url4.example.com with double authentication

Client certificate:
- CommonName = url4.example.com
- serial_number = 0123456789abcdef
- certificate authority = MyCertificateAuthority

I wanted to know if it was possible to set the URL with double authentication on the same vhost as the other URLs or if it should be set on a new virtual server.
In the 2 cases, what configuration should be set up to solve this problem?

Best regards.

Labels:
0 Kudos
6 REPLIES 6

Daniel_Wolf
MVP
MVP

‎26-Jun-2023 11:47

Hi @Jean_Mamène,

take a look at this knowledge base article: K13452: Configure a virtual server to serve multiple HTTPS sites using the TLS Server Name Indicatio....
You can use it to assign a specific SSL profile that requires client cert auth to the host you want to authenticate. 

Please pay attention to URL, Host, FQDN and other terms. It makes discussions here in devcentral much easier when the correct terms are used.
irule-example (1).png

KR
Daniel

CA_Valli
MVP
MVP

‎27-Jun-2023 01:05 - edited ‎27-Jun-2023 01:06

Hello @Jean_Mamène ,

It should be possible to have this work on the same VIP, theorically.
To configure client authentication, You need to build a clientSSL profile and configure it for the specific SNI "url4.example.com", and enable client authentication with "require" setting on this same profile. You should import the trusted CA that singed this certificate on BIG-IP
https://my.f5.com/manage/s/article/K13452
https://my.f5.com/manage/s/article/K12140946

Next step is verifying client-certificate informations (SN, etc.) at authentication time. This can be achieved via iRule.
You can get ideas from this code here, and tune it to check/match the requirements of your deployment. 
https://clouddocs.f5.com/api/irules/ClientCertificateCNChecking.html

0 Kudos

Jean_Mamène
Cirrus
Cirrus

‎29-Jun-2023 02:00

Hello,Thank you for your feedback.
@Daniel_Wolf, I'll be more careful next time about the vocabulary used.
I'm currently running tests and I'll get back to you to confirm that it's working properly.

Jean_Mamène
Cirrus
Cirrus

‎07-Jul-2023 02:00 - edited ‎07-Jul-2023 02:05

Hello,

I'm back to give you some news.
We have created a specific vhost for testing purposes and so as not to impact the other services hosted on the shared virtual servers.
The irule for verifying the CN and serial number of the certificate is up and running (validated by the customer).
We'll now look at configuring the SSL client profile.

Best regards.

CA_Valli
MVP
MVP
In response to Jean_Mamène

‎11-Jul-2023 00:58

Thanks for the feedback! Let us know if we can help you further in configuring this 😉

LiefZimmerman
Community Manager
Community Manager
In response to Jean_Mamène

‎14-Jul-2023 08:04

@Jean_Mamène,

If your original issue was resolved please choose Accept As Solution on one (or more) replies.

This helps other members find answers more quickly and confirms the efforts of those who helped.
Thanks for being part of our community.
Lief

0 Kudos
Copyright © 2023 Khoros, LLC