LTM two-way SSL authentication with a specific client cert, not CA cert

DifanZ · ‎27-May-2022

Hi experts,

I am trying to set up the SSL two-way authentication following this link https://support.f5.com/csp/article/K12140946#test. It is successful when I choose a CA certificate in the "Trusted Certificate Authorities" field in the Client SSL profile. However, this would authenticate anyone with the client cert signed by the CA (e.g., DigiCert), correct? How do I make it only accepts a specific client cert (e.g. xyz.example.com but not abc.example.com)? I have tried to specify the client cert in the field and the GUI accepts the setting but doesn't work.

Thanks!

xuwen · ‎27-May-2022

when CLIENTSSL_HANDSHAKE {
	if { [SSL::cert count] > 0 } {
		if { [X509::subject [SSL::cert 0]] contains "CN=xyz.example.com" } {
			return
		} else {
			log local0. "invalid client cert post, subject is: [X509::subject [SSL::cert 0]]"
			drop
		}
	}
}

DifanZ · ‎28-May-2022

Thank you Xuwen! So it is not possible to do it in the GUI, and an irule would be required for this, correct?

xuwen · ‎28-May-2022

sure, you can don't need irules, only use GUI,First, you need to let Client SSL profile the option "Client Certificate" value set to "Require", then you can use a self-signed CA certificate(

K14499: Using OpenSSL to create CA and client certificates (11.x - 16.x)

), instead of using a public CA certificate, use the self-signed CA certificate to sign the client certificate to test the verification, and use curl --key xxx --cert xxx on the client side to test two-way ssl

DifanZ · ‎28-May-2022

Hi Mollie, thanks but you referenced exactly the same link as in my original post... It doesn't work for my need.

DevCentral

LTM two-way SSL authentication with a specific client cert, not CA cert

Khoros Kudos Award 2022