Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

LTM two-way SSL authentication with a specific client cert, not CA cert

DifanZ
Cirrus
Cirrus

‎27-May-2022 11:42

Hi experts,

I am trying to set up the SSL two-way authentication following this link https://support.f5.com/csp/article/K12140946#test. It is successful when I choose a CA certificate in the "Trusted Certificate Authorities" field in the Client SSL profile. However, this would authenticate anyone with the client cert signed by the CA (e.g., DigiCert), correct? How do I make it only accepts a specific client cert (e.g. xyz.example.com but not abc.example.com)? I have tried to specify the client cert in the field and the GUI accepts the setting but doesn't work.

Thanks!

Labels:
0 Kudos
4 REPLIES 4

xuwen
MVP
MVP

‎27-May-2022 20:15 

when CLIENTSSL_HANDSHAKE {
	if { [SSL::cert count] > 0 } {
		if { [X509::subject [SSL::cert 0]] contains "CN=xyz.example.com" } {
			return
		} else {
			log local0. "invalid client cert post, subject is: [X509::subject [SSL::cert 0]]"
			drop
		}
	}
}
0 Kudos

DifanZ
Cirrus
Cirrus
In response to xuwen

‎28-May-2022 09:08

Thank you Xuwen! So it is not possible to do it in the GUI, and an irule would be required for this, correct?

0 Kudos

xuwen
MVP
MVP
In response to DifanZ

‎28-May-2022 19:22

sure, you can don't need irules, only use GUI,First, you need to let Client SSL profile the option "Client Certificate" value set to "Require",  then you can use a self-signed CA certificate(

), instead of using a public CA certificate, use the self-signed CA certificate to sign the client certificate to test the verification, and use curl --key xxx --cert xxx on the client side to test two-way ssl

0 Kudos

DifanZ
Cirrus
Cirrus
In response to Mollie255

‎28-May-2022 09:09

Hi Mollie, thanks but you referenced exactly the same link as in my original post... It doesn't work for my need.

0 Kudos
Copyright © 2023 Khoros, LLC